Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows activation scam? Please help diagnose :)


  • This topic is locked This topic is locked
10 replies to this topic

#1 rikuhj

rikuhj

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 03 May 2016 - 11:42 PM

I recently woke up a day before and when I turned on my computer, I found my computer acting strange where I saw a windows activation screen. I couldn't get passed it, but my second screen still works like normal. I was wondering if I have a malware in my computer. Please help me analyze. A log is attached. Thank you in advance :)


Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 6:35:27 PM, on 5/3/2016
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v10.0 (10.00.9200.17568)

FIREFOX: 45.0.2 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\TeamViewer\TeamViewer.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Users\Administrator\Desktop\Games\HijackThis.exe
C:\PROGRA~2\MOZILL~1\firefox.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Desktop\Games\NBA2k16 V1.00 Trainer +8 MrAntiFun.EXE
C:\Users\ADMINI~1\AppData\Local\Temp\cetrainers\CET9483.tmp\NBA2k16 V1.00 Trainer +8 MrAntiFun.EXE
C:\Windows\SysWOW64\DllHost.exe

F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [Corsair Headset Software] "C:\Program Files (x86)\Corsair\Corsair Headset Software\HeadsetControlPanel.exe" /minimized
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [BlueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [WGA Remover] "C:\Program Files (x86)\WGA Remover\wgaremover.exe" -silent
O4 - HKCU\..\Run: [KakaoTalk] "C:\Program Files (x86)\Kakao\KakaoTalk\KakaoTalk.exe" -bystartup
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [puush] C:\Program Files (x86)\puush\puush.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Viber] "C:\Users\Administrator\AppData\Local\Viber\Viber.exe" StartMinimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Mobile Partner] C:\Program Files (x86)\HiSuite\HiSuite.exe -s
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Akamai NetSession Interface] "C:\Users\liberty\AppData\Local\Akamai\netsession_win.exe" (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [puush] C:\Program Files (x86)\puush\puush.exe (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Facebook Update] "C:\Users\liberty\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Google Update] "C:\Users\liberty\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Razer Comms] C:\Program Files (x86)\Razer\Core\RazerCore.exe /ChatApplet (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Overwolf] C:\Program Files (x86)\Overwolf\Overwolf.exe -silent (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [Plex Media Server] "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe" (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [GarenaPlus] "C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe" -autolaunch (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup (User 'rikuhj')
O4 - HKUS\S-1-5-21-2451644212-187192978-2764627041-1001\..\Run: [KakaoTalk] "C:\Program Files (x86)\Kakao\KakaoTalk\KakaoTalk.exe" -bystartup (User 'rikuhj')
O4 - Startup: mysystem.lnk = C:\Program Files (x86)\Microsoft Corporation\SystemAlert.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AODService - Unknown owner - C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BlueStacks Android Service (BstHdAndroidSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-Service.exe
O23 - Service: BlueStacks Log Rotator Service (BstHdLogRotatorSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
O23 - Service: BlueStacks Updater Service (BstHdUpdaterSvc) - BlueStack Systems, Inc. - C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe
O23 - Service: NVIDIA GeForce Experience Service (GfExperienceService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HiSuiteOuc64.exe - Unknown owner - C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe
O23 - Service: HP Support Solutions Framework Service (HPSupportSolutionsFrameworkService) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
O23 - Service: HuaweiHiSuiteService64.exe - Unknown owner - C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
O23 - Service: NVIDIA Streamer Network Service (NvStreamNetworkSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: Overwolf Updater Windows SCM (OverwolfUpdater) - Overwolf LTD - C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Razer Overlay Subsystem Emergency Service (RzOvlMon) - Razer, Inc. - C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Spotflux Connection Manager (SpotfluxConnectionManager) - Spotflux - C:\Program Files (x86)\Spotflux\services\SpotfluxConnectionManager.exe
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SAMSUNG Mobile Connectivity Service (ss_conn_service) - DEVGURU Co., LTD. - C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12786 bytes


Edited by rikuhj, 03 May 2016 - 11:44 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 04 May 2016 - 07:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

===

p.s.
HijackThis is no longer supported.
I suggest your remove via the Control panel > Programs > Programs and Features Applet.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 rikuhj

rikuhj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 04 May 2016 - 03:49 PM

Here are my results, please let me know further instructions. Thanks!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:04-05-2016
Ran by Administrator (administrator) on SHINNYCHAN (04-05-2016 10:39:09)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: rikuhj & Administrator (Available Profiles: rikuhj & Administrator)
Platform: Windows 8 Pro (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Firebird Project) C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
() C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe
(Spotflux) C:\Program Files (x86)\Spotflux\services\SpotfluxConnectionManager.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Firebird Project) C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.EXE
(VideoLAN) C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_213.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_213.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(VideoLAN) C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
(VideoLAN) C:\Program Files (x86)\VideoLAN\VLC\vlc.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2771576 2015-12-08] (NVIDIA Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [Corsair Headset Software] => C:\Program Files (x86)\Corsair\Corsair Headset Software\HeadsetControlPanel.exe [3160064 2013-03-25] (Corsair)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [819984 2014-03-13] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKLM-x32\...\Run: [WGA Remover] => C:\Program Files (x86)\WGA Remover\wgaremover.exe [600064 2014-11-18] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\liberty\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Steam] => "C:\Program Files (x86)\Steam\steam.exe" -silent
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [51662464 2016-04-08] (Skype Technologies S.A.)
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [puush] => C:\Program Files (x86)\puush\puush.exe [568392 2015-03-29] ()
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Facebook Update] => C:\Users\liberty\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2013-11-16] (Facebook Inc.)
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Google Update] => C:\Users\liberty\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-09-01] (Google Inc.)
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Razer Comms] => C:\Program Files (x86)\Razer\Core\RazerCore.exe [1094336 2013-11-20] (Razer, Inc.)
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe [45296 2016-04-24] (Overwolf LTD)
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [Plex Media Server] => "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [GarenaPlus] => "C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe" -autolaunch
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [KiesAirMessage] => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\Run: [KakaoTalk] => "C:\Program Files (x86)\Kakao\KakaoTalk\KakaoTalk.exe" -bystartup
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\MountPoints2: {5937fdb2-f4d1-11e3-bed5-bc5ff4bcb4b2} - "G:\setup.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\MountPoints2: {948baaa0-6877-11e3-be92-bc5ff4bcb4b2} - "G:\setup.exe" -a
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\...\MountPoints2: {9843c863-3732-11e3-be78-bc5ff4bcb4b2} - "G:\setup.exe" -a
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [Facebook Update] => C:\Users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2014-02-23] (Facebook Inc.)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [puush] => C:\Program Files (x86)\puush\puush.exe [568392 2015-03-29] ()
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [Google Update] => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-28] (Google Inc.)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [Viber] => C:\Users\Administrator\AppData\Local\Viber\Viber.exe [69268048 2016-04-13] (Viber Media S.à r.l.)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3696912 2014-03-03] (Disc Soft Ltd)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [Mobile Partner] => C:\Program Files (x86)\HiSuite\HiSuite.exe [583488 2014-01-27] ()
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [51662464 2016-04-08] (Skype Technologies S.A.)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\Run: [GoogleChromeAutoLaunch_361C1DD22E1256C6B68316A32E8B1949] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [881304 2016-04-27] (Google Inc.)
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\MountPoints2: {234c80a5-dc73-11e5-80b9-bc5ff4bcb4b2} - "K:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\MountPoints2: {234c80c0-dc73-11e5-80b9-bc5ff4bcb4b2} - "K:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\MountPoints2: {234c847c-dc73-11e5-80b9-bc5ff4bcb4b2} - "K:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\MountPoints2: {5937fdb2-f4d1-11e3-bed5-bc5ff4bcb4b2} - "G:\setup.exe"
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\MountPoints2: {948baaa0-6877-11e3-be92-bc5ff4bcb4b2} - "J:\setup.exe" -a
HKU\S-1-5-21-2451644212-187192978-2764627041-500\...\MountPoints2: {9843c863-3732-11e3-be78-bc5ff4bcb4b2} - "J:\setup.exe" -a
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-04-25] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-04-25] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-04-25] (Google)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk [2016-05-03]
ShortcutTarget: mysystem.lnk -> C:\Program Files (x86)\Microsoft Corporation\SystemAlert.exe (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2016-05-01]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{2FE6AD36-9937-4FE0-A704-B6792DAC6655}: [DhcpNameServer] 172.26.38.1 172.26.38.2
Tcpip\..\Interfaces\{78CCE7E7-2BE4-420F-BE81-9B2BF7352900}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{9A0E67E8-0CDF-4CC1-BE72-811346B50849}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{CD40DE83-A414-4B48-9C8D-C0D875B29979}: [DhcpNameServer] 44.0.0.252

Internet Explorer:
==================
HKU\S-1-5-21-2451644212-187192978-2764627041-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://t.jp.msn.com/?rd=1&ucc=JP&dcc=JP&opt=0
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-05] (Oracle Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll [2012-01-25] (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-05] (Oracle Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll [2012-01-25] (Microsoft Corporation.)
DPF: HKLM-x32 {48884C41-EFAC-433D-958A-9FADAC41408E} hxxps://www.e-games.com.ph/com/EGamesPlugin.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g9pgw7a9.default
FF DefaultSearchEngine.US: Google
FF Homepage: about:home
FF Session Restore: -> is enabled.
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-09] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-09] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @esn/npbattlelog,version=2.3.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.1\npbattlelog.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.4.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.4.0\npbattlelog.dll [2014-05-25] (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-05] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [2015-06-24] (Nexon)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-12-16] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-12-16] (NVIDIA Corporation)
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\Administrator\AppData\Roaming\raidcall\plugins\nprcplugin.dll [2014-05-26] (Raidcall)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-09] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-09] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-1001: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\liberty\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\liberty\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-1001: @talk.google.com/O1DPlugin -> C:\Users\liberty\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-1001: @tools.google.com/Google Update;version=3 -> C:\Users\liberty\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-05-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-1001: @tools.google.com/Google Update;version=9 -> C:\Users\liberty\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-05-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-500: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Administrator\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-500: @talk.google.com/GoogleTalkPlugin -> C:\Users\Administrator\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-500: @talk.google.com/O1DPlugin -> C:\Users\Administrator\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-500: @tools.google.com/Google Update;version=3 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-2451644212-187192978-2764627041-500: @tools.google.com/Google Update;version=9 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Administrator\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Administrator\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Extension: Adblock Plus - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g9pgw7a9.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]

Chrome:
=======
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Adblock Plus) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-09]
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (NicoNico Audio Extractor) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eecoahjklhopckkiefihjloeidikepdh [2015-03-19]
CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
CHR Extension: (Google Voice (by Google)) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo [2015-11-01]
CHR Extension: (Google Hangouts) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2015-12-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AODService; C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe [137256 2013-05-24] ()
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [402192 2014-03-13] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [385808 2014-03-13] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [770832 2014-03-13] (BlueStack Systems, Inc.)
R2 FirebirdGuardianDefaultInstance; C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2013-03-19] (Firebird Project) [File not signed]
R3 FirebirdServerDefaultInstance; C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe [3784704 2013-03-19] (Firebird Project) [File not signed]
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1156216 2015-12-08] (NVIDIA Corporation)
R2 HiSuiteOuc64.exe; C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe [137024 2014-01-27] ()
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [24376 2015-06-30] (Hewlett-Packard Company)
R2 HuaweiHiSuiteService64.exe; C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe [204096 2014-01-27] ()
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [5267776 2014-01-21] (INCA Internet Co., Ltd.)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-12-08] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [8185464 2015-12-08] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [6477432 2015-12-08] (NVIDIA Corporation)
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1286896 2016-04-24] (Overwolf LTD)
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-06-16] ()
R2 RzOvlMon; C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2013-11-20] (Razer, Inc.)
R2 SpotfluxConnectionManager; C:\Program Files (x86)\Spotflux\services\SpotfluxConnectionManager.exe [105984 2015-07-30] (Spotflux) [File not signed]
R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [741640 2014-06-15] (DEVGURU Co., LTD.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16056 2015-07-06] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.2.0; C:\Program Files (x86)\AMD\OverDrive\amd64\AODDriver2.sys [58088 2013-05-24] (Advanced Micro Devices)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [121616 2014-03-13] (BlueStack Systems)
S3 CorsairAudioFilter; C:\Windows\system32\DRIVERS\corsveng2kamd64.sys [103296 2013-03-15] (Corsair)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [21928 2015-03-23] (Windows ® Win 7 DDK provider)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2014-06-17] (Disc Soft Ltd)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2012-09-19] (Broadcom Corporation)
S3 HWHandSet; C:\Windows\system32\DRIVERS\hw_quusbmdm.sys [223232 2011-10-23] (Huawei Technologies Co., Ltd.)
U5 hw_usbdev; C:\Windows\System32\Drivers\hw_usbdev.sys [116864 2011-10-23] (Huawei Technologies Co., Ltd.)
U0 mfjgt; C:\Windows\System32\drivers\pnyxvm.sys [79064 2016-05-03] (Malwarebytes)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-12-08] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [50472 2015-08-10] (NVIDIA Corporation)
S3 qcusbser; C:\Windows\system32\DRIVERS\qcusbser.sys [242688 2013-04-24] (QUALCOMM Incorporated)
R3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [13368 2013-01-22] ()
S3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2013-11-20] (Razer, Inc.)
S0 RzFilter; C:\Windows\System32\drivers\RzFilter.sys [74432 2013-11-20] (Razer, Inc.)
R3 tapSF0901; C:\Windows\system32\DRIVERS\tapSF0901.sys [39104 2013-10-08] (Spotflux, Inc.)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2013-02-11] (Microsoft Corporation)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [113936 2013-10-15] (Oracle Corporation)
R3 VCSVADHWSer; C:\Windows\system32\DRIVERS\vcsvad.sys [21504 2008-12-26] (Avnex)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-06] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [281944 2015-07-06] (Microsoft Corporation)
U0 wesow; C:\Windows\System32\drivers\mpcsit.sys [79064 2016-05-03] (Malwarebytes)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-04 10:39 - 2016-05-04 10:39 - 00026887 _____ C:\Users\Administrator\Desktop\FRST.txt
2016-05-04 10:38 - 2016-05-04 10:38 - 00001150 _____ C:\Users\Administrator\Desktop\AdwCleaner[R13].txt
2016-05-04 10:32 - 2016-05-04 10:32 - 00001047 _____ C:\Users\Administrator\Desktop\ScanMBAM.txt
2016-05-04 09:50 - 2016-05-04 10:39 - 00000000 ____D C:\FRST
2016-05-04 09:48 - 2016-05-04 09:48 - 02377216 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2016-05-03 22:49 - 2016-05-03 22:57 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-05-03 22:40 - 2016-05-03 22:40 - 00079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\mpcsit.sys
2016-05-03 19:51 - 2016-05-03 19:51 - 00079064 _____ (Malwarebytes) C:\Windows\system32\Drivers\pnyxvm.sys
2016-05-03 18:17 - 2016-05-03 18:17 - 00000000 ____D C:\Users\liberty\AppData\Roaming\Steam
2016-05-03 15:16 - 2016-05-03 15:16 - 00000554 _____ C:\Users\liberty\Desktop\JRT.txt
2016-05-03 02:52 - 2016-05-03 02:52 - 00001235 _____ C:\Users\liberty\Desktop\Desktop - Admin.lnk
2016-05-02 11:53 - 2016-05-02 11:53 - 00000000 ____D C:\Users\liberty\Tracing
2016-05-02 11:48 - 2016-05-02 11:48 - 00000000 ____D C:\Users\liberty\AppData\Roaming\Sun
2016-05-02 11:48 - 2016-05-02 11:48 - 00000000 ____D C:\Users\liberty\.oracle_jre_usage
2016-05-02 11:19 - 2016-05-02 11:19 - 00012602 _____ C:\Windows\system32\.crusader
2016-05-02 11:15 - 2016-05-02 11:19 - 00000000 ____D C:\ProgramData\HitmanPro
2016-05-02 10:51 - 2016-05-02 11:02 - 00000000 ____D C:\Program Files (x86)\WGA Remover
2016-05-02 10:51 - 2016-05-02 10:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WGA Remover
2016-05-02 10:44 - 2016-05-02 10:44 - 00000258 __RSH C:\Users\liberty\ntuser.pol
2016-05-01 12:15 - 2016-05-01 12:15 - 00000000 ____D C:\Users\Administrator\AppData\Local\worstenbrood
2016-05-01 11:56 - 2016-05-01 11:57 - 00000258 __RSH C:\Users\Administrator\ntuser.pol
2016-05-01 11:48 - 2016-05-01 11:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Corporation
2016-05-01 11:47 - 2016-05-01 11:57 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-05-01 11:47 - 2016-05-01 11:47 - 00002560 _____ C:\Users\Administrator\AppData\Local\uninstallssl.exe
2016-04-22 03:48 - 2016-04-22 03:48 - 00004259 _____ C:\Users\Administrator\AppData\Local\recently-used.xbel
2016-04-19 16:51 - 2016-04-19 16:51 - 00000000 ____D C:\Users\Administrator\AppData\Local\Viber
2016-04-12 22:14 - 2016-04-02 08:50 - 00046784 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-04-12 22:14 - 2016-04-02 07:55 - 01386496 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-04-12 22:14 - 2016-04-02 07:55 - 00698368 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-04-12 22:14 - 2016-04-02 07:55 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-04-12 22:14 - 2016-04-02 07:55 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-04-12 22:14 - 2016-04-02 07:55 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-04-12 22:14 - 2016-04-02 07:55 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-04-12 22:14 - 2016-04-02 05:24 - 01169408 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-04-12 18:24 - 2016-04-12 18:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\2K Sports
2016-04-12 13:49 - 2016-04-12 13:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NBA 2K16
2016-04-12 02:00 - 2016-05-02 11:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-04 10:37 - 2014-06-29 19:46 - 00000000 ____D C:\AdwCleaner
2016-05-04 10:32 - 2014-05-24 09:03 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-05-04 10:25 - 2013-10-16 00:47 - 00000928 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-04 10:09 - 2013-10-16 01:58 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-04 09:56 - 2014-05-11 10:53 - 00000962 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-500UA.job
2016-05-04 09:25 - 2013-11-16 09:20 - 00000956 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-1001UA.job
2016-05-04 09:25 - 2013-11-16 09:20 - 00000934 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-1001Core.job
2016-05-04 08:42 - 2014-02-23 23:37 - 00000982 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-500UA.job
2016-05-04 01:13 - 2014-03-08 11:42 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2451644212-187192978-2764627041-500
2016-05-03 23:42 - 2014-02-23 23:37 - 00000960 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-500Core.job
2016-05-03 23:42 - 2013-11-02 13:14 - 00000000 ____D C:\Program Files (x86)\WTFast
2016-05-03 22:58 - 2014-05-24 09:03 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-05-03 22:47 - 2014-06-17 21:16 - 00000000 ____D C:\Users\Administrator\Desktop\Games
2016-05-03 22:40 - 2012-07-25 21:20 - 00000000 ____D C:\Windows\Setup
2016-05-03 18:25 - 2013-10-16 00:47 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-03 18:21 - 2014-01-08 22:23 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Skype
2016-05-03 18:20 - 2015-12-20 05:14 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-05-03 18:20 - 2013-10-14 20:09 - 00000000 ____D C:\Users\liberty\AppData\Roaming\Skype
2016-05-03 18:20 - 2013-10-14 20:09 - 00000000 ____D C:\ProgramData\Skype
2016-05-03 18:19 - 2014-06-04 22:30 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ViberPC
2016-05-03 18:17 - 2013-10-22 22:17 - 00000000 ____D C:\Users\liberty\AppData\Roaming\2K Sports
2016-05-03 15:15 - 2013-11-26 21:15 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-1001Core.job
2016-05-03 12:56 - 2014-05-11 10:53 - 00000910 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-500Core.job
2016-05-03 04:56 - 2013-11-30 16:12 - 00000000 ____D C:\Program Files (x86)\Overwolf
2016-05-03 03:49 - 2013-10-10 19:43 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2451644212-187192978-2764627041-1001
2016-05-03 02:56 - 2013-10-19 13:53 - 00000000 ____D C:\Users\liberty\AppData\Local\CrashDumps
2016-05-03 02:52 - 2012-07-25 21:28 - 00848230 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-03 02:52 - 2012-07-25 19:37 - 00000000 ____D C:\Windows\Inf
2016-05-03 02:48 - 2013-11-30 16:15 - 00000000 ____D C:\Users\liberty\AppData\Local\Purplizer
2016-05-03 02:47 - 2013-11-30 16:02 - 00000000 ____D C:\Users\liberty\AppData\Local\Overwolf
2016-05-03 02:46 - 2013-10-10 19:55 - 00000000 ____D C:\ProgramData\NVIDIA
2016-05-03 02:46 - 2012-07-25 21:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-02 11:55 - 2013-10-16 00:31 - 00000000 ____D C:\Users\liberty\AppData\Roaming\Mozilla
2016-05-02 11:53 - 2013-10-10 19:36 - 00000000 ____D C:\Users\liberty
2016-05-02 11:38 - 2013-10-16 22:26 - 00003042 _____ C:\Windows\System32\Tasks\MSIAfterburner
2016-05-02 11:10 - 2014-06-17 20:44 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\DAEMON Tools Lite
2016-05-02 11:10 - 2014-04-08 09:13 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\uTorrent
2016-05-02 11:10 - 2014-01-15 22:06 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
2016-05-02 10:47 - 2013-11-26 21:15 - 00003884 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-1001UA
2016-05-02 10:47 - 2013-11-26 21:15 - 00003504 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-1001Core
2016-05-02 10:47 - 2013-11-26 21:15 - 00000936 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2451644212-187192978-2764627041-1001UA.job
2016-05-02 01:51 - 2015-05-14 16:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Minimal ADB and Fastboot
2016-05-01 11:58 - 2013-10-17 20:20 - 00000000 ____D C:\Program Files\CPUID
2016-05-01 11:57 - 2016-03-09 22:35 - 00001129 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotflux.lnk
2016-05-01 11:57 - 2016-01-19 10:26 - 00000731 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Client.lnk
2016-05-01 11:57 - 2015-10-06 02:02 - 00000959 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2016-05-01 11:57 - 2015-07-12 12:32 - 00001243 _____ C:\ProgramData\Microsoft\Windows\Start Menu\HP ソリューション センター .lnk
2016-05-01 11:57 - 2015-07-12 12:32 - 00001042 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\I.R.I.S. OCR Registration.lnk
2016-05-01 11:57 - 2015-05-29 21:22 - 00000964 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Viber.lnk
2016-05-01 11:57 - 2015-05-29 21:22 - 00000958 _____ C:\Users\Administrator\Desktop\Viber.lnk
2016-05-01 11:57 - 2015-01-03 21:01 - 00001031 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\RaidCall.lnk
2016-05-01 11:57 - 2014-09-15 21:21 - 00001362 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2016-05-01 11:57 - 2014-09-15 21:21 - 00001293 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2016-05-01 11:57 - 2014-06-17 20:45 - 00001944 _____ C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2016-05-01 11:57 - 2014-04-30 10:13 - 00002507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-05-01 11:57 - 2014-03-26 23:06 - 00001535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-05-01 11:57 - 2014-03-23 08:57 - 00001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2016-05-01 11:57 - 2014-03-23 08:57 - 00001001 _____ C:\Users\Public\Desktop\Audacity.lnk
2016-05-01 11:57 - 2014-03-09 12:06 - 00001419 _____ C:\Users\Administrator\Desktop\ComiPo!.lnk
2016-05-01 11:57 - 2014-02-14 20:28 - 00001131 _____ C:\ProgramData\Microsoft\Windows\Start Menu\KakaoTalk.lnk
2016-05-01 11:57 - 2014-01-01 10:28 - 00000355 _____ C:\Users\Administrator\Desktop\My Computer.lnk
2016-05-01 11:57 - 2013-12-30 08:15 - 00000000 ____D C:\Users\Administrator
2016-05-01 11:57 - 2013-10-16 22:35 - 00001060 _____ C:\Users\Public\Desktop\VLC media player.lnk
2016-05-01 11:57 - 2013-10-16 10:21 - 00000924 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
2016-05-01 11:57 - 2013-10-16 00:34 - 00001096 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-01 11:57 - 2012-07-25 10:32 - 00002388 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk
2016-05-01 11:57 - 2012-07-25 10:21 - 00000787 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Desktop.lnk
2016-05-01 11:57 - 2012-07-25 10:13 - 00002106 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Store.lnk
2016-05-01 11:56 - 2012-07-25 19:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-05-01 11:47 - 2012-07-25 22:12 - 00000000 ____D C:\Windows\system32\GroupPolicy
2016-05-01 11:45 - 2013-12-30 08:15 - 00002044 ____R C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехplоrеr.lnk
2016-05-01 11:45 - 2013-10-16 00:48 - 00002214 ____R C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
2016-05-01 11:45 - 2013-10-16 00:48 - 00002202 ____R C:\Users\liberty\Desktop\Сhrоmе.lnk
2016-05-01 11:45 - 2013-10-16 00:31 - 00001947 ____R C:\Users\Administrator\Desktop\Firеfох.lnk
2016-04-27 10:27 - 2012-07-25 22:12 - 00000000 ___HD C:\Program Files\WindowsApps
2016-04-27 10:27 - 2012-07-25 22:12 - 00000000 ____D C:\Windows\AUInstallAgent
2016-04-27 10:25 - 2014-08-17 15:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2016-04-22 03:56 - 2014-03-20 11:31 - 00000000 ____D C:\Users\Administrator\.gimp-2.8
2016-04-21 21:57 - 2013-10-16 00:45 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-19 12:23 - 2014-01-14 21:17 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\vlc
2016-04-17 11:33 - 2013-10-17 09:50 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-04-17 00:49 - 2012-07-25 22:12 - 00000000 ____D C:\Windows\AppCompat
2016-04-16 02:50 - 2014-06-07 01:04 - 00000000 ____D C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
2016-04-16 02:50 - 2012-07-25 22:12 - 00000000 ____D C:\Windows\system32\NDF
2016-04-16 02:05 - 2013-10-16 00:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-15 02:16 - 2014-05-24 09:03 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-14 12:41 - 2015-04-14 19:45 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-04-14 12:41 - 2015-04-14 19:45 - 00000000 ____D C:\Windows\system32\appraiser
2016-04-13 03:35 - 2013-10-11 20:12 - 00000000 ____D C:\Windows\system32\MRT
2016-04-13 03:35 - 2012-07-25 21:59 - 00000000 ____D C:\Windows\CbsTemp
2016-04-13 03:31 - 2013-10-11 20:12 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-12 16:08 - 2014-05-24 09:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-09 02:09 - 2013-10-16 01:58 - 00003718 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

==================== Files in the root of some directories =======

2014-10-29 21:38 - 2014-11-07 21:19 - 0169472 ____H () C:\Users\Administrator\AppData\Roaming\Data.bin
2015-02-12 20:51 - 2015-02-21 17:50 - 0143360 ____H () C:\Users\Administrator\AppData\Roaming\DBSK-LOG.log
2014-04-03 20:39 - 2014-04-07 20:53 - 0122368 ____H () C:\Users\Administrator\AppData\Roaming\Loader.pptx
2016-04-22 03:48 - 2016-04-22 03:48 - 0004259 _____ () C:\Users\Administrator\AppData\Local\recently-used.xbel
2016-05-01 11:47 - 2016-05-01 11:47 - 0002560 _____ () C:\Users\Administrator\AppData\Local\uninstallssl.exe
2014-03-01 16:45 - 2014-03-01 16:45 - 0004983 _____ () C:\ProgramData\auqrgqib.ttw
2014-03-01 08:42 - 2014-03-01 08:42 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-07-12 12:31 - 2015-07-12 12:33 - 0000843 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\liberty\AppData\Local\Temp\d6158a1717661ea96689042e57f08782.dll
C:\Users\liberty\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\liberty\AppData\Local\Temp\GLF1E1B.tmp.dll
C:\Users\liberty\AppData\Local\Temp\GLF81AE.tmp.dll
C:\Users\liberty\AppData\Local\Temp\Gw2.exe
C:\Users\liberty\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\liberty\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\liberty\AppData\Local\Temp\jna108476921576943320.dll
C:\Users\liberty\AppData\Local\Temp\jna3690078604463811031.dll
C:\Users\liberty\AppData\Local\Temp\jna4909660687816135300.dll
C:\Users\liberty\AppData\Local\Temp\jna5487176235376197061.dll
C:\Users\liberty\AppData\Local\Temp\jna5836416837899998578.dll
C:\Users\liberty\AppData\Local\Temp\jna7667335138696429559.dll
C:\Users\liberty\AppData\Local\Temp\jna7839226335675352307.dll
C:\Users\liberty\AppData\Local\Temp\jna8091825547953953144.dll
C:\Users\liberty\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\liberty\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\liberty\AppData\Local\Temp\lowproc.exe
C:\Users\liberty\AppData\Local\Temp\MotoHelper_2.1.41_Driver_5.5.0.exe
C:\Users\liberty\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
C:\Users\liberty\AppData\Local\Temp\nv3DVStreaming.dll
C:\Users\liberty\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\liberty\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\liberty\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\liberty\AppData\Local\Temp\nvStInst.exe
C:\Users\liberty\AppData\Local\Temp\PH_131217to140110.exe
C:\Users\liberty\AppData\Local\Temp\RealPlayer_20130122.exe
C:\Users\liberty\AppData\Local\Temp\sonarinst.exe
C:\Users\liberty\AppData\Local\Temp\stubhelper.dll
C:\Users\liberty\AppData\Local\Temp\vcredist_x64.exe
C:\Users\liberty\AppData\Local\Temp\vcredist_x86.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-30 03:00

==================== End of FRST.txt ============================

Attached Files


Edited by rikuhj, 04 May 2016 - 03:49 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 05 May 2016 - 06:52 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk [2016-05-03]
ShortcutTarget: mysystem.lnk -> C:\Program Files (x86)\Microsoft Corporation\SystemAlert.exe (Microsoft Corporation)
FF Plugin-x32: @esn/npbattlelog,version=2.3.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.1\npbattlelog.dll [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
U0 mfjgt; C:\Windows\System32\drivers\pnyxvm.sys [79064 2016-05-03] (Malwarebytes)
U0 wesow; C:\Windows\System32\drivers\mpcsit.sys [79064 2016-05-03] (Malwarebytes)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk
C:\Program Files (x86)\Microsoft Corporation\SystemAlert.exe
C:\Windows\System32\drivers\pnyxvm.sys
C:\Windows\System32\drivers\mpcsit.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

You have attached the FRST.txt file.
I need to see the Addition.txt file that was created by the Farbar tool.

How is the computer running now?

#5 rikuhj

rikuhj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 05 May 2016 - 04:01 PM

I think the activation screen went away as I did what your instruction told me to do. I posted the FRST.txt and the FIxlog anyways just to finalize and see what you have for me next. Thank you so much :)

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 06 May 2016 - 06:23 AM

Good news.

Again you attached the FRST log.

I was looking for the Addition.txt file contents.

Post it and I will check it.

#7 rikuhj

rikuhj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 06 May 2016 - 07:25 AM

Ahh, I thought I posted it. Here it is once again, hope this is it :P

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 06 May 2016 - 09:48 AM

Looking good.

===

However your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 73 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218073F0}) (Version: 8.0.730.2 - Oracle Corporation)

---

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#9 rikuhj

rikuhj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 06 May 2016 - 03:22 PM

Thank you for the help, nasdaq. I wish I can buy you a beer right now for doing your best and being patient with me. Thanks again :)



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 07 May 2016 - 07:25 AM

Glad we could help.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 13 May 2016 - 09:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users