Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

how to find the spyware!

Started by anderson2999 , Jun 10 2017 11:39 PM

  • Please log in to reply

#1
anderson2999
Posted 10 June 2017 - 11:39 PM

anderson2999

    New Member

  • Member
  • Pip
  • 2 posts

Dear all, 

     I'm pretty sure my computer has spy software, but I can't find it.

I had used some tools to solid and scan my system ,  it as follow:

  1.  Microsoft sysinternal software (process explorer, process monitor , Tcpview , autorun)
  2.  use the online total-virus scan some suspicious files.
  3.  change the anti-virus soft (Avira, avaster , kapersky ) , now use the Avirs software.
  4.  use the Microsoft sfc and dism to check system file.
  5.  use Trend HijackThis to scan.
  6.  use the Wireshark to scan suspicious network traffic. (only find Microsoft and anti-virus software traffic.)
  7.  check the schedule tasks and clear it. 
  8.  close some suspicious service include the network share , remote assistance.
  9.  enable the UAC ,EMET, DEP.
  10.  disable VBScript in the registry.

The naughty software always cutting my network. I found  the network card is disable in the ncpa.cpl. 

I always to enable it manual again. It occurrence is random and unpredictable.

sometime the spy-soft empty my music folders in my disk  or "remove my music video and remove back".

It seems to be on display someone's hacking skill to me. The spy software always wast my time. 

 

My system is windows 10.14393.

 

I am very need the some professional or geek to help me to find the spy software!! 

 

Thank you very much!!


  • 0

Advertisements

#2
anderson2999
Posted 12 June 2017 - 08:40 AM

anderson2999

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

I post the FRST.txt and Addition.txt  , as folllow:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-06-2017
Ran by mbwuyrhjr (administrator) on DESKTOP-FRUVPUV (12-06-2017 22:28:34)
Running from C:\Users\mbwuyrhjr\Downloads
Loaded Profiles: mbwuyrhjr (Available Profiles: defaultuser0 & mbwuyrhjr)
Platform: Windows 10 Pro Version 1607 (X64) Language: Chinese (Traditional, Taiwan)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\CHT\ChtIME.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe
(Microsoft Corporation) C:\Windows\System32\vmms.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe
(Microsoft Corporation) C:\Windows\System32\vmcompute.exe
(Microsoft Corporation) C:\Windows\System32\vmwp.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\CHT\ChtIME.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office15\ONENOTEM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.Systray.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Agent.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Sysinternals - www.sysinternals.com) C:\Users\mbwuyrhjr\Downloads\SysinternalsSuite\Procmon.exe
(Sysinternals - www.sysinternals.com) C:\Users\mbwuyrhjr\AppData\Local\Temp\Procmon64.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3242696 2015-10-07] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [97512 2017-05-22] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [912768 2017-05-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira System Speedup User Starter] => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe [67680 2017-06-01] (Avira Operations GmbH & Co. KG)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKU\S-1-5-21-2728424925-2742704299-915834903-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [37376 2016-07-16] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bitmeter2.lnk [2017-06-12]
ShortcutTarget: Bitmeter2.lnk -> C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe ()
Startup: C:\Users\mbwuyrhjr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2017-01-24] ()
Startup: C:\Users\mbwuyrhjr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\傳送至 OneNote.lnk [2017-06-12]
ShortcutTarget: 傳送至 OneNote.lnk -> C:\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{3782d527-f11a-47cb-8925-5c48b242dc71}: [DhcpNameServer] 168.95.1.1 61.31.233.1
Tcpip\..\Interfaces\{56307e49-61b6-4621-b97f-0b109fd6cd7b}: [DhcpNameServer] 61.31.233.1 168.95.1.1 61.31.1.1 192.168.0.1
Tcpip\..\Interfaces\{7091a23b-7c78-47d3-9fd1-e99115427d75}: [DhcpNameServer] 192.168.42.129
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2728424925-2742704299-915834903-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2728424925-2742704299-915834903-1001 -> {8DA38FA2-07E4-44A7-A33F-9A2C837E6371} URL = 
SearchScopes: HKU\S-1-5-21-2728424925-2742704299-915834903-1001 -> {F416FAA9-EA24-4848-B96C-663DF8EFCC7D} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-2728424925-2742704299-915834903-1001 -> {F615E46A-2E6E-463A-9AC4-EEE90E5580A3} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-11-15] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_112\bin\ssv.dll [2016-12-22] (Oracle Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-11-15] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_112\bin\jp2ssv.dll [2016-12-22] (Oracle Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2016-09-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-12-22] (Oracle Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2016-11-15] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-12-22] (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2016-10-11] (Microsoft Corporation)
 
Edge: 
======
Edge Extension: (AdBlock) -> EdgeExtension_BetaFishAdBlock_c1wakc4j0nefm => C:\Program Files\WindowsApps\BetaFish.AdBlock_1.8.1.0_neutral__c1wakc4j0nefm [2016-12-29]
Edge Extension: (No Name) -> MouseGestures_MicrosoftMouseGestures_8wekyb3d8bbwe => C:\Program Files\WindowsApps\Microsoft.MouseGestures_0.6.16274.0_neutral__8wekyb3d8bbwe [2016-12-29]
 
FireFox:
========
FF DefaultProfile: 7h7squtv.default
FF ProfilePath: C:\Users\mbwuyrhjr\AppData\Roaming\Mozilla\Firefox\Profiles\7h7squtv.default [2017-06-04]
FF Extension: (Avira Browser Safety) - C:\Users\mbwuyrhjr\AppData\Roaming\Mozilla\Firefox\Profiles\7h7squtv.default\Extensions\[email protected] [2017-06-04]
FF Extension: (Avira SafeSearch Plus) - C:\Users\mbwuyrhjr\AppData\Roaming\Mozilla\Firefox\Profiles\7h7squtv.default\Extensions\[email protected] [2017-06-04]
FF Extension: (Mozilla Archive Format) - C:\Users\mbwuyrhjr\AppData\Roaming\Mozilla\Firefox\Profiles\7h7squtv.default\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2017-03-22]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_197.dll [2016-12-22] ()
FF Plugin: @java.com/DTPlugin,version=11.112.2 -> C:\Program Files\Java\jre1.8.0_112\bin\dtplugin\npDeployJava1.dll [2016-12-22] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.112.2 -> C:\Program Files\Java\jre1.8.0_112\bin\plugin2\npjp2.dll [2016-12-22] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWoW64\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-12-22] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-12-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-12-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-09-13] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
FF Plugin-x32: @scout.avira-update.com/Avira Scout Update;version=3 -> C:\Program Files (x86)\Avira\Scout Update\1.3.32.7\npScoutUpdate3.dll [2017-04-19] (Avira Operations GmbH & Co. KG)
FF Plugin-x32: @scout.avira-update.com/Avira Scout Update;version=9 -> C:\Program Files (x86)\Avira\Scout Update\1.3.32.7\npScoutUpdate3.dll [2017-04-19] (Avira Operations GmbH & Co. KG)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-22] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2728424925-2742704299-915834903-1001: @tools.google.com/Google Update;version=3 -> C:\Users\mbwuyrhjr\AppData\Local\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-12] (Google Inc.)
FF Plugin HKU\S-1-5-21-2728424925-2742704299-915834903-1001: @tools.google.com/Google Update;version=9 -> C:\Users\mbwuyrhjr\AppData\Local\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-12] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-09-13] (Microsoft Corporation)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxps://search.avira.net/#web/result?source=omnibar&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Avira
CHR DefaultSuggestURL: Default -> hxxps://search.avira.net/suggestions?q={searchTerms}&li=ff&hl=en
CHR Profile: C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default [2017-06-12]
CHR Extension: (Google 文件) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-12-22]
CHR Extension: (Google 雲端硬碟) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-12-22]
CHR Extension: (YouTube) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-12-22]
CHR Extension: (Set Character Encoding) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpojelgakakmcfmjfilgdlmhefphglae [2017-05-03]
CHR Extension: (Advanced Font Settings) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\caclkomlalccbpcdllchkeecicepbmbm [2017-03-15]
CHR Extension: (Avira Browser Safety) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2017-06-07]
CHR Extension: (Chrome 遠端桌面) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2017-06-09]
CHR Extension: (Google 文件離線版) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-12-22]
CHR Extension: (Save As MHT) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfmodljjaibbdndlikgagimhhodmobkc [2017-01-02]
CHR Extension: (Save as PDF) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpdjmbiefanbdgnkcikhllpmjnnllbbc [2017-01-02]
CHR Extension: (新同文堂) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldmgbgaoglmaiblpnphffibpbfchjaeg [2017-03-22]
CHR Extension: (Ghostery) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2017-06-02]
CHR Extension: (Chrome 線上應用程式商店付款系統) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Gmail) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-12-22]
CHR Extension: (Chrome Media Router) - C:\Users\mbwuyrhjr\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-14]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1119712 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [488920 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [488920 2017-05-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1520680 2017-05-04] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [374352 2017-05-22] (Avira Operations GmbH & Co. KG)
R2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [334064 2017-05-18] (Avira Operations GmbH & Co. KG)
R2 AviraUpdaterService; C:\Program Files (x86)\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe [100816 2017-04-21] (Avira Operations GmbH & Co. KG)
R2 EMET_Service; C:\Program Files (x86)\EMET 5.5\EMET_Service.exe [33464 2016-11-08] (Microsoft Corporation)
S4 ETDService; C:\Program Files\Elantech\ETDService.exe [144072 2015-10-07] (ELAN Microelectronics Corp.)
S3 hns; C:\Windows\System32\HostNetSvc.dll [553984 2016-11-11] (Microsoft Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319096 2016-05-12] (Intel Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-12] (NVIDIA Corporation)
S2 scupdate; C:\Program Files (x86)\Avira\Scout Update\ScoutUpdate.exe [113800 2017-01-24] (Avira Operations GmbH & Co. KG)
S3 scupdatem; C:\Program Files (x86)\Avira\Scout Update\ScoutUpdate.exe [113800 2017-01-24] (Avira Operations GmbH & Co. KG)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-16] (Microsoft Corporation)
R2 SpeedupService; C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe [74800 2017-06-01] (Avira Operations GmbH & Co. KG)
S4 Te.Service; C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF\Wex.Services.exe [137216 2015-10-29] (Microsoft Corporation) [File not signed]
R3 vmcompute; C:\Windows\system32\vmcompute.exe [1911296 2016-11-11] (Microsoft Corporation)
R2 vmms; C:\Windows\system32\vmms.exe [14422528 2016-10-15] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 Apowersoft_AudioDevice; C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys [31968 2012-10-08] (Wondershare)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [161824 2017-03-03] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [163976 2017-03-03] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [44488 2017-03-03] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\system32\DRIVERS\avnetflt.sys [88488 2017-03-03] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [48584 2017-03-03] (Avira Operations GmbH & Co. KG)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [7585280 2016-07-16] (Broadcom Corporation)
R3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [161408 2017-03-22] (Zemana Ltd.)
S3 lunparser; C:\Windows\System32\drivers\lunparser.sys [22528 2017-01-10] (Microsoft Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2016-12-21] (Intel Corporation)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2013-07-29] (CACE Technologies, Inc.)
R3 nvlddmkm; C:\Windows\System32\DriverStore\FileRepository\nvaci.inf_amd64_f9dcfec999e08ef9\nvlddmkm.sys [14200880 2016-12-13] (NVIDIA Corporation)
S3 passthruparser; C:\Windows\System32\drivers\passthruparser.sys [24576 2017-01-10] (Microsoft Corporation)
S3 pcip; C:\Windows\System32\drivers\pcip.sys [46592 2017-01-10] (Microsoft Corporation)
U5 PROCMON23; C:\Windows\System32\Drivers\PROCMON23.sys [84960 2017-06-12] (Sysinternals - www.sysinternals.com)
S3 pvhdparser; C:\Windows\System32\drivers\pvhdparser.sys [50176 2017-01-10] (Microsoft Corporation)
S3 ramparser; C:\Windows\System32\drivers\ramparser.sys [30720 2017-01-10] (Microsoft Corporation)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 Synth3dVsp; C:\Windows\System32\drivers\synth3dvsp.sys [103424 2017-01-10] (Microsoft Corporation)
R3 usbrndis6; C:\Windows\System32\drivers\usb80236.sys [23040 2016-07-16] (Microsoft Corporation)
S1 VBoxNetAdp; C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys [131144 2016-12-20] (Oracle Corporation)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [137920 2016-12-20] (Oracle Corporation)
R3 vhdparser; C:\Windows\System32\drivers\vhdparser.sys [26624 2017-01-10] (Microsoft Corporation)
R3 vmsmp; C:\Windows\System32\drivers\vmswitch.sys [1616384 2016-11-11] (Microsoft Corporation)
R2 VMSP; C:\Windows\System32\drivers\vmswitch.sys [1616384 2016-11-11] (Microsoft Corporation)
R0 vmsproxy; C:\Windows\System32\drivers\vmsproxy.sys [33632 2016-08-06] (Microsoft Corporation)
S3 VMSVSF; C:\Windows\System32\drivers\vmswitch.sys [1616384 2016-11-11] (Microsoft Corporation)
S3 VMSVSP; C:\Windows\System32\drivers\vmswitch.sys [1616384 2016-11-11] (Microsoft Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 WIMMount; C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimmount.sys [42688 2016-07-16] (Microsoft Corporation)
S3 WofAdk; C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wofadk.sys [221376 2016-07-16] (Microsoft Corporation)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-04-04] (Zemana Ltd.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: hns -> C:\Windows\System32\HostNetSvc.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-12 22:28 - 2017-06-12 22:28 - 00023852 _____ C:\Users\mbwuyrhjr\Downloads\FRST.txt
2017-06-12 22:26 - 2017-06-12 22:28 - 00000000 ____D C:\FRST
2017-06-12 22:02 - 2017-06-12 22:02 - 00000000 ____D C:\Windows\SysWOW64\WCN
2017-06-12 22:02 - 2017-06-12 22:02 - 00000000 ____D C:\Windows\system32\WCN
2017-06-12 21:58 - 2017-06-12 22:02 - 00000000 ____D C:\Windows\CbsTemp
2017-06-12 21:28 - 2017-06-12 21:29 - 02438656 _____ (Farbar) C:\Users\mbwuyrhjr\Downloads\FRST64.exe
2017-06-12 20:12 - 2017-06-12 22:28 - 00000000 ____D C:\ProgramData\Bitmeter2
2017-06-12 20:12 - 2017-06-12 20:14 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Roaming\Bitmeter2
2017-06-12 20:12 - 2017-06-12 20:12 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\BitMeter2
2017-06-12 20:12 - 2017-06-12 20:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitMeter
2017-06-12 20:09 - 2017-06-12 20:09 - 01417925 _____ C:\Users\mbwuyrhjr\Downloads\BitMeter2.zip
2017-06-11 17:16 - 2017-06-11 17:16 - 02333808 _____ C:\Users\mbwuyrhjr\Downloads\dbg.old.7z
2017-06-11 14:54 - 2017-06-11 15:28 - 939646976 _____ C:\Users\mbwuyrhjr\Downloads\Windows_Rs2.15063.0.170317-1834.x64FRE.Symbols.msi
2017-06-11 14:54 - 2017-06-11 15:26 - 838533120 _____ C:\Users\mbwuyrhjr\Downloads\Windows_Rs2.15063.0.170317-1834.X86FRE.Symbols.msi
2017-06-11 11:42 - 2017-06-12 22:26 - 00084960 ____H (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCMON23.SYS
2017-06-10 22:13 - 2017-06-10 22:13 - 01850099 _____ C:\Users\mbwuyrhjr\Downloads\DEFCON-20-Polstra-Bypassing-Endpoint-Security.pdf
2017-06-10 20:09 - 2017-06-10 20:09 - 00581301 _____ C:\Users\mbwuyrhjr\Downloads\Red_Hat_Enterprise_Linux-6-Resource_Management_Guide-zh-TW.pdf
2017-06-09 19:40 - 2017-06-09 19:40 - 01647907 _____ C:\Users\mbwuyrhjr\Downloads\docker_practice.pdf
2017-06-09 18:31 - 2017-06-09 18:31 - 00001216 _____ C:\Users\Public\Desktop\Avira System Speedup.lnk
2017-06-09 18:30 - 2017-06-12 22:22 - 00000000 ____D C:\Users\Public\Speedup Sessions
2017-06-09 17:34 - 2017-06-09 17:34 - 00063437 _____ C:\Users\mbwuyrhjr\Downloads\《Chrome遠端桌面教學》手機控制電腦、和他人連線PC共用。免安裝軟體,用瀏覽器就能辦到。 _ 痞凱踏踏 _ PKstep.html
2017-06-09 17:34 - 2017-06-09 17:34 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\《Chrome遠端桌面教學》手機控制電腦、和他人連線PC共用。免安裝軟體,用瀏覽器就能辦到。 _ 痞凱踏踏 _ PKstep_files
2017-06-09 17:32 - 2017-06-09 17:32 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome 應用程式
2017-06-08 16:54 - 2017-06-08 16:54 - 10064300 _____ C:\Users\mbwuyrhjr\Downloads\Red_Hat_Enterprise_Linux-7-Logical_Volume_Manager_Administration-zh-CN.pdf
2017-06-08 16:53 - 2017-06-08 16:53 - 13449584 _____ C:\Users\mbwuyrhjr\Downloads\Red_Hat_Enterprise_Linux-7-Logical_Volume_Manager_Administration-en-US.pdf
2017-06-08 15:54 - 2017-06-08 15:54 - 00814435 _____ C:\Users\mbwuyrhjr\Downloads\HP-LVM.pdf
2017-06-08 13:34 - 2017-06-08 13:34 - 01542607 _____ C:\Users\mbwuyrhjr\Downloads\Red_Hat_Enterprise_Linux-6-Logical_Volume_Manager_Administration-zh-TW.pdf
2017-06-07 21:47 - 2017-06-07 21:47 - 00791647 _____ C:\Users\mbwuyrhjr\Downloads\TrueCrypt User Guide.pdf
2017-06-07 12:49 - 2017-06-07 12:49 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\行動應用App基本資安
2017-06-07 12:22 - 2017-06-07 12:22 - 00329728 _____ C:\Users\mbwuyrhjr\Downloads\Scott_Stoller_Analyzing_Security_Policies.ppt
2017-06-01 13:39 - 2017-06-01 13:39 - 00002051 _____ C:\Users\mbwuyrhjr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GoldenDict.exe - 捷徑.lnk
2017-05-28 18:55 - 2017-05-28 18:56 - 00000000 ____D C:\Program Files (x86)\UltraISO
2017-05-24 13:32 - 2017-05-24 13:32 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\GoodSync_9.9.55_crack
2017-05-18 22:41 - 2017-05-18 22:41 - 00000731 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10 升級小幫手.lnk
2017-05-18 22:41 - 2017-05-18 22:41 - 00000000 ____D C:\Windows10Upgrade
2017-05-14 09:49 - 2017-06-01 13:39 - 00001763 _____ C:\Users\mbwuyrhjr\Desktop\GoldenDict.exe - 捷徑.lnk
2017-05-14 09:47 - 2017-06-11 13:42 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Roaming\GoldenDict
2017-05-14 09:47 - 2017-05-14 09:47 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\GoldenDict-1.5.0-RC2-85-g473cb2b_(QT_486)
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-12 22:27 - 2017-04-04 13:02 - 00021191 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-06-12 22:25 - 2016-12-22 09:46 - 05274420 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-12 22:25 - 2016-07-17 06:30 - 01202342 _____ C:\Windows\system32\prfh0404.dat
2017-06-12 22:25 - 2016-07-17 06:30 - 01040160 _____ C:\Windows\system32\prfc0404.dat
2017-06-12 22:21 - 2016-12-22 10:12 - 00000000 __SHD C:\Users\mbwuyrhjr\IntelGraphicsProfiles
2017-06-12 22:20 - 2016-12-22 10:09 - 00000000 ____D C:\ProgramData\NVIDIA
2017-06-12 22:20 - 2016-12-22 09:37 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-12 22:20 - 2016-07-16 14:04 - 00524288 _____ C:\Windows\system32\config\BBI
2017-06-12 22:02 - 2017-01-10 13:32 - 00000000 ____D C:\Program Files\Hyper-V
2017-06-12 22:02 - 2016-07-17 06:41 - 00000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2017-06-12 22:02 - 2016-07-17 06:30 - 00000000 ____D C:\Windows\SysWOW64\winrm
2017-06-12 22:02 - 2016-07-17 06:30 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2017-06-12 22:02 - 2016-07-17 06:30 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2017-06-12 22:02 - 2016-07-17 06:30 - 00000000 ____D C:\Windows\system32\winrm
2017-06-12 22:02 - 2016-07-17 06:30 - 00000000 ____D C:\Windows\system32\slmgr
2017-06-12 22:02 - 2016-07-17 06:30 - 00000000 ____D C:\Windows\system32\Printing_Admin_Scripts
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___SD C:\Windows\SysWOW64\F12
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___SD C:\Windows\SysWOW64\DiagSvcs
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___SD C:\Windows\system32\F12
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___SD C:\Windows\system32\dsc
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___SD C:\Windows\system32\DiagSvcs
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___RD C:\Windows\MiracastView
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ___RD C:\Program Files\Windows Defender
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Windows\SysWOW64\oobe
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Windows\system32\SystemResetPlatform
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Windows\system32\migwiz
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Windows\IME
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Windows\Help
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Program Files\Common Files\System
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2017-06-12 22:02 - 2016-07-16 19:47 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2017-06-12 22:02 - 2016-07-16 19:45 - 00000000 ____D C:\Windows\INF
2017-06-12 22:02 - 2016-07-16 14:04 - 00000000 ____D C:\Windows\system32\Sysprep
2017-06-12 22:02 - 2016-07-16 14:04 - 00000000 ____D C:\Windows\servicing
2017-06-12 20:13 - 2016-07-17 20:46 - 00005588 _____ C:\Users\mbwuyrhjr\Desktop\temp.txt
2017-06-12 20:12 - 2017-04-13 00:00 - 00000000 ____D C:\Program Files (x86)\Codebox
2017-06-12 19:23 - 2016-12-22 09:36 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-06-11 18:15 - 2016-12-22 21:23 - 00034784 _____ (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2017-06-11 14:46 - 2016-12-22 14:42 - 00004482 __RSH C:\ProgramData\ntuser.pol
2017-06-11 13:41 - 2016-12-22 22:34 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Local\Microsoft_Corporation
2017-06-11 09:38 - 2016-12-22 09:49 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Local\Packages
2017-06-10 15:47 - 2017-04-06 19:08 - 00041689 _____ C:\list.txt
2017-06-10 15:47 - 2017-03-03 11:56 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\SysinternalsSuite
2017-06-10 12:57 - 2016-12-22 10:59 - 00007591 _____ C:\Users\mbwuyrhjr\AppData\Local\Resmon.ResmonCfg
2017-06-09 20:37 - 2016-12-22 14:22 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Local\CrashDumps
2017-06-09 18:31 - 2017-04-25 01:02 - 00003782 _____ C:\Windows\System32\Tasks\AviraSystemSpeedupUpdate
2017-06-09 18:31 - 2017-01-24 22:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-06-09 18:30 - 2017-01-24 22:01 - 00000000 ____D C:\Program Files (x86)\Avira
2017-06-09 14:34 - 2016-07-16 19:47 - 00000000 ____D C:\Windows\LiveKernelReports
2017-06-04 15:58 - 2016-12-22 13:59 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\LocalLow\Mozilla
2017-06-04 15:34 - 2016-12-22 13:58 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-06-04 15:34 - 2016-12-22 13:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-06-03 17:36 - 2017-03-28 20:17 - 00000000 ____D C:\Users\mbwuyrhjr\Documents\Outlook 檔案
2017-06-01 15:23 - 2016-12-22 10:09 - 00000000 ____D C:\ProgramData\Package Cache
2017-05-26 18:25 - 2017-05-08 08:44 - 00000000 ____D C:\Windows\AppReadiness
2017-05-24 13:32 - 2017-05-08 01:58 - 00000000 ____D C:\ProgramData\GoodSync
2017-05-24 13:32 - 2016-12-23 01:28 - 00000000 ____D C:\Users\mbwuyrhjr\AppData\Roaming\GoodSync
2017-05-21 12:54 - 2017-01-10 11:25 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\depkit_doc
2017-05-21 12:54 - 2017-01-10 11:23 - 00000000 ____D C:\Users\mbwuyrhjr\Downloads\depkit
 
==================== Files in the root of some directories =======
 
2017-03-02 14:49 - 2017-03-02 14:49 - 0000600 _____ () C:\Users\mbwuyrhjr\AppData\Roaming\winscp.rnd
2017-04-22 11:08 - 2017-04-22 11:50 - 0000600 _____ () C:\Users\mbwuyrhjr\AppData\Local\PUTTY.RND
2016-12-22 10:59 - 2017-06-10 12:57 - 0007591 _____ () C:\Users\mbwuyrhjr\AppData\Local\Resmon.ResmonCfg
2017-05-03 18:59 - 2017-05-03 18:59 - 0000291 _____ () C:\Users\mbwuyrhjr\AppData\Local\zenmap.exe.log
2017-01-24 21:59 - 2017-01-24 21:59 - 0240317 _____ () C:\ProgramData\1485266120.bdinstall.bin
2017-03-16 23:12 - 2017-03-16 23:12 - 0030029 _____ () C:\ProgramData\agent.uninstall.1489677133.bdinstall.bin
2017-03-16 22:20 - 2017-03-16 22:20 - 0029373 _____ () C:\ProgramData\agent.update.1489674031.bdinstall.bin
2016-12-22 10:18 - 2016-12-22 10:18 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
2017-06-10 14:42 - 2017-06-12 22:26 - 1165984 ____H (Sysinternals - www.sysinternals.com) C:\Users\mbwuyrhjr\AppData\Local\Temp\Procmon64.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-22 09:36
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-06-2017
Ran by mbwuyrhjr (12-06-2017 22:29:08)
Running from C:\Users\mbwuyrhjr\Downloads
Windows 10 Pro Version 1607 (X64) (2016-12-22 01:45:47)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2728424925-2742704299-915834903-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2728424925-2742704299-915834903-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-2728424925-2742704299-915834903-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-2728424925-2742704299-915834903-501 - Limited - Disabled)
mbwuyrhjr (S-1-5-21-2728424925-2742704299-915834903-1001 - Administrator - Enabled) => C:\Users\mbwuyrhjr
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avira Antivirus (Enabled - Up to date) {B3F630BD-538D-1B4A-14FA-14B63235278F}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avira Antivirus (Enabled - Up to date) {0897D159-75B7-14C4-2E4A-2FC449B26D32}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Acrobat Reader DC - Chinese Traditional (HKLM-x32\...\{AC76BA86-7AD7-1028-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.197 - Adobe Systems Incorporated)
Adobe Flash Player 25 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 25.0.0.148 - Adobe Systems Incorporated)
Ansel (Version: 376.33 - NVIDIA Corporation) Hidden
Application Compatibility Toolkit (Version: 10.1.14393.0 - Microsoft) Hidden
Application Verifier x64 External Package (Version: 10.1.15063.137 - Microsoft) Hidden
Appman Sequencer on amd64 (Version: 10.1.14393.0 - Microsoft) Hidden
Assessments on Client (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.26.48 - Avira Operations GmbH & Co. KG)
Avira Connect (HKLM-x32\...\{b9b31169-be62-4b82-9e65-d47c99299ba1}) (Version: 1.2.88.24864 - Avira Operations GmbH & Co. KG)
Avira Connect (x32 Version: 1.2.88.24864 - Avira Operations GmbH & Co. KG) Hidden
Avira Phantom VPN (HKLM-x32\...\Avira Phantom VPN) (Version: 2.8.2.29275 - Avira Operations GmbH & Co. KG)
Avira Scout (HKLM-x32\...\Avira Scout) (Version: 17.5.3029.2783 - Avira Operations GmbH & Co. KG)
Avira Software Updater (HKLM-x32\...\{A4DF9D2A-AB95-4F30-9CA4-2F49662BA39D}) (Version: 2.0.2.27024 - Avira Operations GmbH & Co. KG)
Avira System Speedup (HKLM-x32\...\Avira System Speedup_is1) (Version: 3.6.0.5338 - Avira Operations GmbH & Co. KG)
BitMeter (HKLM-x32\...\BitMeter) (Version:  - )
Dolby Digital Plus Home Theater (HKLM\...\{7E3D8FA1-6092-469A-955B-68FC4A2C67CA}) (Version: 7.3.2.2 - Dolby Laboratories Inc)
Dr.eye 9.0 Flagship Edition (HKLM-x32\...\{ADB8679A-DCE9-4EA9-B23C-4A426478F86B}) (Version: 9.0.2009.0 - Inventec)
ELAN Touchpad 11.15.0.18_X64 (HKLM\...\Elantech) (Version: 11.15.0.18 - ELAN Microelectronic Corp.)
EMET 5.52 (HKLM-x32\...\{BC26560D-1FC4-4DD5-8756-7E0606A79AE3}) (Version: 5.52 - Microsoft Corporation)
Expresso (HKLM-x32\...\{81A1B78B-69B5-4F71-950D-598FA62FCB73}) (Version: 3.0.4750 - Ultrapico) <==== ATTENTION
Extended Asian Language font pack for Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-2530-0000-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Fiddler Syntax-Highlighting Addons (HKLM-x32\...\FiddlerSyntaxAddons) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)
Google Chrome Canary (HKU\S-1-5-21-2728424925-2742704299-915834903-1001\...\Google Chrome SxS) (Version: 60.0.3076.0 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
HijackThis 2.0.2 (HKLM-x32\...\HijackThis) (Version: 2.0.2 - TrendMicro)
Imaging And Configuration Designer (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Imaging Designer (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Imaging Tools Support (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4425 - Intel Corporation)
Internet Explorer Administration Kit 11 (HKLM-x32\...\{43630B3E-1DDC-4168-8AFC-58A57186469A}) (Version: 11.0.0 - Microsoft Corporation)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java 8 Update 112 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180112F0}) (Version: 8.0.1120.15 - Oracle Corporation)
Java SE Development Kit 8 Update 112 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180112}) (Version: 8.0.1120.15 - Oracle Corporation)
Kits Configuration Installer (x32 Version: 10.1.15063.137 - Microsoft) Hidden
Log Parser 2.2 (HKLM-x32\...\{4AC23178-EEBC-4BAF-8CC0-AB15C8897AC9}) (Version: 2.2.10 - Microsoft Corporation)
Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) (HKLM\...\{F172B6C7-45DD-4C22-A5BF-1B2C084CADEF}) (Version: 6.3.8330.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2728424925-2742704299-915834903-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visio Professional 2013 (HKLM\...\Office15.VISPRO) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40649 (HKLM-x32\...\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}) (Version: 12.0.40649.5 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) 語言套件 - 繁體中文 (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - CHT) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Windows Build 15063 Retail Debugging Symbols for x64 (HKLM-x32\...\{18B00F22-95C0-4179-9B1A-76FE3E0FD046}) (Version: 17.03.17.1834 - Microsoft)
Mozilla Firefox 52.0.1 (x64 zh-TW) (HKLM\...\Mozilla Firefox 52.0.1 (x64 zh-TW)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
MSI Development Tools (x32 Version: 10.1.15063.137 - Microsoft Corporation) Hidden
MXAx64 (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.3 - Notepad++ Team)
NVIDIA PhysX 系統軟體 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
NVIDIA 圖形驅動程式 376.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 376.33 - NVIDIA Corporation)
OpenSSL 1.1.0e (64-bit) (HKLM\...\OpenSSL (64-bit)_is1) (Version:  - OpenSSL Win64 Installer Team)
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
PotPlayer-64 bit (HKLM\...\PotPlayer64) (Version:  - Kakao Corp.)
PowerISO (HKLM-x32\...\PowerISO) (Version: 6.5 - Power Software Ltd)
PowerShell PKI Module (HKLM\...\{B1F013FE-25F6-4EF2-9C33-83BA67864618}) (Version: 3.2.6.0 - Sysadmins LV)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7040 - Realtek Semiconductor Corp.)
SDK ARM Additions (x32 Version: 10.1.10586.0 - Microsoft Corporation) Hidden
SDK ARM Additions EULA (x32 Version: 10.1.10586.0 - Microsoft Corporations) Hidden
SDK ARM Redistributables (x32 Version: 10.1.10586.0 - Microsoft Corporation) Hidden
SDK Debuggers (x32 Version: 10.1.15063.137 - Microsoft Corporation) Hidden
SDK Debuggers ARM (x32 Version: 10.1.10586.0 - Microsoft Corporation) Hidden
Service Pack 1 for Microsoft Office 2013 (KB2817430) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{D82063A8-7C8C-4C3B-A9BB-95138CA55D26}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Office 2013 (KB2817430) 64-Bit Edition (Version:  - Microsoft) Hidden
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (HKLM\...\{90150000-0051-0000-1000-0000000FF1CE}_Office15.VISPRO_{F0C12872-B60D-4E37-A2F9-20C46A5E1F1A}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (Version:  - Microsoft) Hidden
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
Toolkit Documentation (x32 Version: 10.1.14393.0 - Microsoft) Hidden
UEV Tools on amd64 (Version: 10.1.14393.0 - Microsoft) Hidden
Update for Skype for Business 2015 (KB3039776) 64-Bit Edition (HKLM\...\{90150000-012B-0404-1000-0000000FF1CE}_Office15.PROPLUS_{C80CEA66-95B6-4AB9-8AD0-463ACC6B217E}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3127976) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{E0107125-62C7-43B6-8E66-0582F397469E}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3127976) 64-Bit Edition (HKLM\...\{90150000-00C1-0000-1000-0000000FF1CE}_Office15.PROPLUS_{E0107125-62C7-43B6-8E66-0582F397469E}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3127976) 64-Bit Edition (HKLM\...\{90150000-00C1-0000-1000-0000000FF1CE}_Office15.VISPRO_{E0107125-62C7-43B6-8E66-0582F397469E}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3127976) 64-Bit Edition (HKLM\...\{90150000-012B-0404-1000-0000000FF1CE}_Office15.PROPLUS_{E0107125-62C7-43B6-8E66-0582F397469E}) (Version:  - Microsoft)
User State Migration Tool (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Volume Activation Management Tool (x32 Version: 10.1.14393.0 - Microsoft) Hidden
Windows 10 升級小幫手 (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.17387 - Microsoft Corporation)
Windows Driver Kit - Windows 10.0.10586.0 (HKLM-x32\...\{39fdd508-112c-4e73-b736-c5378725b145}) (Version: 10.1.10586.0 - Microsoft Corporation)
Windows Resource Kit Tools (HKLM-x32\...\{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}) (Version: 5.2.3790 - Microsoft Corporation)
Windows Software Development Kit - Windows 10.0.15063.137 (HKLM-x32\...\{a07b4a01-ca27-4e28-9353-f325a308f128}) (Version: 10.1.15063.137 - Microsoft Corporation)
Windows Support Tools (HKLM-x32\...\{F07F0BCD-5C6D-4499-9F05-6ED747078A72}) (Version: 5.2.3790.1830 - Microsoft Corporation)
Windows 評定及部署套件 - Windows 10 (HKLM-x32\...\{39ebb79f-797c-418f-b329-97cfdf92b7ab}) (Version: 10.1.14393.0 - Microsoft Corporation)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
Wireshark 2.2.3 (64-bit) (HKLM-x32\...\Wireshark) (Version: 2.2.3 - The Wireshark developer community, hxxps://www.wireshark.org)
WPT Redistributables (x32 Version: 10.1.15063.137 - Microsoft) Hidden
WPTx64 (x32 Version: 10.1.15063.137 - Microsoft) Hidden
XML Notepad 2007 (HKLM-x32\...\{FC7BACF0-1FFA-4605-B3B4-A66AB382752D}) (Version: 2.3.0.0 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2728424925-2742704299-915834903-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-2728424925-2742704299-915834903-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\mbwuyrhjr\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2728424925-2742704299-915834903-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\mbwuyrhjr\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2728424925-2742704299-915834903-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\mbwuyrhjr\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2728424925-2742704299-915834903-1001_Classes\CLSID\{F09690BD-582D-4439-B6ED-5C2545D2F424}\InprocServer32 -> C:\Windows\system32\kernel32.dll (Microsoft Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\mbwuyrhjr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome 應用程式\Chrome 遠端桌面.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=gbchcmhmhahfdphkhkmpfmihenigjmpp
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 19:42 - 2016-07-16 19:42 - 00231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2016-12-22 10:42 - 2016-12-09 18:29 - 02681200 _____ () C:\Windows\system32\CoreUIComponents.dll
2016-12-22 10:10 - 2016-12-12 02:47 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2017-01-02 03:30 - 2017-01-02 03:30 - 00230064 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2016-12-22 10:41 - 2016-09-07 12:56 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-12-22 10:41 - 2016-12-09 17:41 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-12-22 10:41 - 2016-11-02 18:21 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-12-22 10:41 - 2016-11-02 18:15 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-12-22 10:41 - 2016-11-02 18:14 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-12-22 10:41 - 2016-11-02 18:16 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-12-22 10:41 - 2016-11-02 18:17 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2014-06-01 18:18 - 2014-06-01 18:18 - 01396736 _____ () C:\Program Files (x86)\Codebox\BitMeter\BitMeter2.exe
2017-04-16 14:04 - 2017-03-29 16:47 - 02885464 _____ () C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\libglesv2.dll
2017-04-16 14:04 - 2017-03-29 16:47 - 00099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-16 19:47 - 2017-01-24 21:49 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2728424925-2742704299-915834903-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\mbwuyrhjr\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.42.129
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "RtHDVBg_Dolby"
HKLM\...\StartupApproved\Run: => "ETDCtrl"
HKLM\...\StartupApproved\Run32: => "Avira System Speedup Tray"
HKU\S-1-5-21-2728424925-2742704299-915834903-1001\...\StartupApproved\Run: => "OneDrive"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{742B025A-D7A0-4F55-AA29-1C9580A5380A}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{8FC1BECE-1674-45EB-90D7-35ECFA619982}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{0EFB9F8A-D5DC-4443-BB0D-A502143C9D48}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{F2D24F85-4B72-46FE-9B10-27BBDF16B629}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{06D4E31E-6849-45AD-B339-B841C72502AF}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{DD414F1B-118E-4E12-935A-87BC60EBFBE2}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{AAAFEDFF-FC99-4B25-BB45-B52743A4C4E4}C:\program files (x86)\google\chrome\application\chrome.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [{86AE8D2F-AD64-400A-AEE8-5A2D08F2C21B}] => (Allow) C:\Program Files (x86)\Avira\Scout\Application\scout.exe
 
==================== Restore Points =========================
 
09-06-2017 18:31:09 Avira System Speedup 1.0.0
12-06-2017 21:58:28 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/12/2017 10:29:08 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:08Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:28:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:38Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:28:08 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:08Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:27:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:38Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:27:08 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:08Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:26:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:38Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:26:08 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:08Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:25:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:38Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:25:08 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:08Z. Error Code: 0x80070002.
 
Error: (06/12/2017 10:24:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2017-06-13T13:55:38Z. Error Code: 0x80070002.
 
 
System errors:
=============
Error: (06/12/2017 10:20:42 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
Error: (06/12/2017 06:11:55 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
Error: (06/11/2017 09:50:43 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
Error: (06/11/2017 07:26:04 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The 應用程式特定 permission settings do not grant 本機 啟用 permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (使用 LRPC) running in the application container 無法使用 SID (無法使用). This security permission can be modified using the Component Services administrative tool.
 
Error: (06/11/2017 07:11:29 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
Error: (06/11/2017 07:10:57 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Security Center service terminated with the following error: 
The authentication service is unknown.
 
Error: (06/11/2017 07:10:35 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
Error: (06/11/2017 07:05:37 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
Error: (06/11/2017 06:51:22 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Security Center service terminated with the following error: 
The authentication service is unknown.
 
Error: (06/11/2017 06:51:00 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 124) (User: NT AUTHORITY)
Description: 03221225624
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-3630QM CPU @ 2.40GHz
Percentage of memory in use: 26%
Total physical RAM: 16222.35 MB
Available physical RAM: 11922.69 MB
Total Virtual: 17246.35 MB
Available Virtual: 12749.96 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:446.64 GB) (Free:130.08 GB) NTFS
Drive d: (data) (Fixed) (Total:931.51 GB) (Free:425.2 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 447.1 GB) (Disk ID: E7E5DA2A)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=446.6 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: C97EFA2B)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

  • 0

#3
Jr0x
Posted 29 June 2017 - 06:20 AM

Jr0x

    Malware removal team

  • Malware Removal
  • 1,830 posts

Hi anderson2999,

Welcome to :welcome:. My name is Jr0x and I'll be helping you with your problem.

Before we get started, there are a few things I need you to take note of.

  • Please read through the instructions before attempting to follow those procedures. I would recommend printing them out as some of the instructions would requires you to be in safe mode / offline.
  • If there is anything you are unclear of, please ask before you start the fix.
  • Do not run any scripts / tools on your own, unsupervised usage may cause more harm than good.
  • Please stay with me on this thread, do not start another thread in here (Geeks To Go) or any other forum until I've declared you clean and good to go.
  • There may be delayed response to you as we may live in different timezone.
  • Inform me of anything that happens unexpectedly during the fix at any point of time.
  • As much as we like to make this a easy process for you. Malware removal is a complex multi-step process, and things may happen such as data loss or render your machine unbootable. I would recommend that you backup your personal data before we proceed.
  • Posts that are not replied to in four (4) days will result in the topic being closed. We have not forgotten you; this is just an effort to keep the boards organized and flowing. To continue on your closed topic, please PM me or any Moderator to have the topic reactivated. If, at any time during our working together, I have not responded to you in 2 days (48 hours), then please PM me.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • As we go along please tell me how the computer is running now. Please be as descriptive as possible e.g. I'm still getting web redirects, I am unable to access the internet etc.

Let's get started.

Move FRST to Desktop

I noticed that you did not run FRST from Desktop, instead from Downloads folder. Do note to move FRST from your Downloads (C:\Users\mbwuyrhjr\Downloads) folder to Desktop (C:\Users\mbwuyrhjr\Desktop).

FRST.gif Re-Scan with Farbar's Recovery Scan Tool (FRST)

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File).
  • Please ensure you place a check mark in the Addition.txt check box at the bottom of the form before running.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • Because you selected the Addition.txt check box this log will be created as well. Please also paste that along with the FRST.txt into your reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP