1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

In Progress Infected with "Win32:Virut"

Discussion in 'Virus & Other Malware Removal' started by RickyGani, Jul 27, 2016.

Thread Status:
Not open for further replies.
Advertisement
  1. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    Few days ago, I found my computer unable to open cmd, msconfig, task manager , etc. I made a post in Windows 7 Forum. They pointed some virus removal app, which kinda not solve the problem. Long story short, later Avast! found this "RootKit" named Win32:virut.

    i googled about it, found out that it infects the all .exe in the whole system. Now, my computer still cant open Task manager and msconfig. But, it's able to open "Steam", not the games though. So is there any way to save my PC without "Factory Reset" ?

    (Please, don't say System Restore, because i have no Restore Points... I know nothing about that before this whole madness happens, so yeah)
     
  2. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    Just read the sticky, im sorry for the lack of this info, but here it is :

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Ultimate, Service Pack 1, 32 bit
    Processor: Intel(R) Core(TM) i3-2100 CPU @ 3.10GHz, x64 Family 6 Model 42 Stepping 7
    Processor Count: 4
    RAM: 3551 Mb
    Graphics Card: NVIDIA GeForce GT 630, -2048 Mb
    Hard Drives: C: Total - 178372 MB, Free - 64060 MB; D: Total - 59998 MB, Free - 24092 MB;
    Motherboard: ASUSTeK COMPUTER INC., P8H61-M LX R2.0
    Antivirus: avast! Antivirus, Updated and Enabled

    and also, everytime i boot my PC avast pops up and say there's a Win32:evo-gen (Susp) detected ...
    Looking forward for a reply :D , I know this is a free and busy forum, so I understand if it takes a bit until someone answer, I'm cool with that
     
  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Hello RickiGani and welcome to TSG,

    My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

    Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

    [​IMG] Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. [​IMG]
    Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

    [​IMG] Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. [​IMG] Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

    [​IMG] Internet Explorer - Click the Tools menu in the upper right-corner of the browser. [​IMG] Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

    Next,

    Follow the instructions in the following link to show hidden files:

    http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

    Next,

    Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

    There are three buttons to choose from with different names on, select the first one and save it to your desktop.

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
    • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
    • If the tool does not run from any of the links provided, please let me know.

    Next,

    Download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

    • Double-click to run it. When the tool opens click Yes to disclaimer.
      (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
    • Make sure Addition.txt is checkmarked under "Optional scans"
    • Press Scan button to run the tool....
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

    Let me see those logs in your reply....

    Thank you,

    Kevin.....
     
  4. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    First, Im sorry for the late reply, i was away. I thank you for your helpful response, and here's the log that you requested...

    FRST.txt:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-07-2016
    Ran by KBS-3 (administrator) on GANI-2 (30-07-2016 11:05:30)
    Running from C:\Users\KBS-3\Desktop
    Loaded Profiles: KBS-3 (Available Profiles: KBS-3 & New)
    Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    Failed to access process -> csrss.exe
    Failed to access process -> csrss.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    (Google Inc.) C:\Program Files\Google\Chrome Remote Desktop\52.0.2743.48\remoting_host.exe
    (Google Inc.) C:\Program Files\Google\Chrome Remote Desktop\52.0.2743.48\remoting_host.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
    (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
    (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
    (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    Failed to access process -> NvStreamNetworkService.exe
    Failed to access process -> conhost.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
    (Google Inc.) C:\Program Files\Google\Update\1.3.30.3\GoogleCrashHandler.exe
    (AsusTek) C:\Program Files\ASUS\ASUS Smart Gesture\AsTPCenter\x86\AsusTPLoader.exe
    (AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
    Failed to access process -> WmiPrvSE.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
    (AsusTek) C:\Program Files\ASUS\ASUS Smart Gesture\AsTPCenter\x86\AsusTPCenter.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\ASUS Smart Gesture\AsTPCenter\x86\AsusSmartGestureDetector.exe
    (Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\ASUS Smart Gesture\AsTPCenter\x86\AsusSGPlusBTServer.exe
    (AsusTek) C:\Program Files\ASUS\ASUS Smart Gesture\AsTPCenter\x86\AsusTPHelper.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    (Valve Corporation) C:\Program Files\Steam\Steam.exe
    (Valve Corporation) C:\Program Files\Steam\bin\steamwebhelper.exe
    (Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
    (Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
    (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [] => [X]
    HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-07-25] (AVAST Software)
    HKLM\...\Winlogon: [Userinit] userinit.exe,c:\program files\microsoft\watermark.exe,
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\RunOnce: [Application Restart #3] => C:\Program Files\Google\Chrome\Application\chrome.exe [941720 2016-06-15] (Google Inc.)
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: E - E:\Setup.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {16e13a3a-eb3e-11e5-bf0a-50465db22bc9} - F:\setup.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {19a58e84-4d86-11e5-a133-50465db22bc9} - E:\Setup.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {19a58e87-4d86-11e5-a133-50465db22bc9} - E:\Setup.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {466c5cf2-4d74-11e2-92d8-806e6f6e6963} - D:\Bin\ASSETUP.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {74fc32a2-5e7a-11e5-8eff-50465db22bc9} - G:\LG_PC_Programs.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {8518863b-8652-11e3-979f-50465db22bc9} - E:\CheckID.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {e555e9dc-593a-11e2-8eb6-50465db22bc9} - E:\LaunchU3.exe -a
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {eb179de8-d3d7-11e5-a671-50465db22bc9} - F:\Setup.exe
    HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\MountPoints2: {ec2ba0e4-fc69-11e5-aedb-50465db22bc9} - E:\Setup.exe
    ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX32.dll [2016-07-26] ()
    ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX32.dll [2016-07-26] ()
    ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX32.dll [2016-07-26] ()
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-07-25] (AVAST Software)
    Startup: C:\Users\KBS-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEGAsync.lnk [2016-05-27]
    ShortcutTarget: MEGAsync.lnk -> C:\ProgramData\MEGAsync\MEGAsync.exe (Mega Limited)
    AlternateShell:
    GroupPolicy: Restriction - Chrome <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    ProxyEnable: [.DEFAULT] => Proxy is enabled.
    ProxyServer: [.DEFAULT] => http=127.0.0.1:3228;https=127.0.0.1:3228
    AutoConfigURL: [.DEFAULT] => http=127.0.0.1:3228;https=127.0.0.1:3228
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 118.136.64.4 202.73.99.4 202.73.99.2
    Tcpip\..\Interfaces\{36629748-01C4-44A6-84F4-B7C21F87C29B}: [NameServer] 208.67.222.222,202.73.99.8
    Tcpip\..\Interfaces\{36629748-01C4-44A6-84F4-B7C21F87C29B}: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{A7116A7C-E472-4468-A2D6-629265C1DA03}: [DhcpNameServer] 192.168.42.129
    Tcpip\..\Interfaces\{A7DACEC8-4582-489E-B066-0944FEA672C3}: [DhcpNameServer] 118.136.64.4 202.73.99.4 202.73.99.2

    Internet Explorer:
    ==================
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
    BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_65\bin\ssv.dll [2015-11-14] (Oracle Corporation)
    BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-07-25] (AVAST Software)
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
    BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
    BHO: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files\Free Download Manager\iefdm2.dll [2015-07-08] (FreeDownloadManager.ORG)
    BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-11-14] (Oracle Corporation)
    BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
    Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
    Toolbar: HKU\S-1-5-21-236803536-1301839972-3714144713-1000 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
    Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    FireFox:
    ========
    FF ProfilePath: C:\Users\KBS-3\AppData\Roaming\Mozilla\Firefox\Profiles\2rcs5sq5.default
    FF NewTab: about:newtab
    FF Homepage: hxxps://www.malwarebytes.org/restorebrowser/_adwrldint_16_18&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Did%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzuyDtDyEyCyD0D0BtBtB0B0Czy0A0FtAtAtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyEyBtAyC0EyEyCzytGyD0FyC0EtGyBzyyB0AtGtA0EtA0FtGyE0ByC0AtDzyyBtAyCtAtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0B0EtAyDtD0B0FtGzy0FtDyEtGyE0EtC0EtGzyzy0A0DtG0BtCtDzyyCtByDyC0E0FyCyB2QtN0A0LzuyE%26cr%3D609242580%26a%3Dwncy_adwrldint_16_18%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_168.dll [2013-09-13] ()
    FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1215155.dll [2014-12-02] (Adobe Systems, Inc.)
    FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2016-07-26] (Google)
    FF Plugin: @Intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
    FF Plugin: @Intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
    FF Plugin: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-11-14] (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-11-14] (Oracle Corporation)
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
    FF Plugin: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
    FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-05-28] (NVIDIA Corporation)
    FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-05-28] (NVIDIA Corporation)
    FF Plugin: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] ()
    FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin: @videolan.org/vlc,version=2.0.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
    FF Plugin HKU\S-1-5-21-236803536-1301839972-3714144713-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\KBS-3\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-07-11] (Unity Technologies ApS)
    FF Plugin HKU\S-1-5-21-236803536-1301839972-3714144713-1000: Nagravision.com/PBM -> C:\Users\KBS-3\AppData\Roaming\Nagravision\PBM\npNMPCBrowserPlugin.dll [2016-07-26] (Nagravision)
    FF Plugin HKU\S-1-5-21-236803536-1301839972-3714144713-1000: ubisoft.com/uplaypc -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [No File]
    FF Extension: Dashlane - C:\Users\KBS-3\AppData\Roaming\Mozilla\Firefox\Profiles\2rcs5sq5.default\Extensions\[email protected] [2016-06-22]
    FF Extension: FireFTP - C:\Users\KBS-3\AppData\Roaming\Mozilla\Firefox\Profiles\2rcs5sq5.default\Extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [2016-06-24]
    FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
    FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-01-04] [not signed]
    FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
    FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-07-25]
    FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
    FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-07-25]
    FF HKU\S-1-5-21-236803536-1301839972-3714144713-1000\...\Firefox\Extensions: [[email protected]] - C:\ProgramData\Free Download Manager\Firefox\Extensions\2.1.4
    FF Extension: Free Download Manager extension - C:\ProgramData\Free Download Manager\Firefox\Extensions\2.1.4 [2016-04-20]

    Chrome:
    =======
    CHR dev: Chrome dev build detected! <======= ATTENTION
    CHR StartupUrls: Profile 1 -> "hxxps://www.google.com/","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1405858944&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1405928737&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1405996433&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406038286&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406085112&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406516798&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406532487&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406603850&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406637893&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406690124&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406695688&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406775540&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406855006&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406888202&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406951313&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1406993418&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407038607&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407056879&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407227708&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407235068&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407334402&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407396621&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407412619&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407482295&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407497114&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407545386&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407573224&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407640715&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407670346&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407757463&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407835642&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1407850693&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408093759&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408156006&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408244415&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408351840&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408434952&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408451736&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408770287&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1408847397&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409187110&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409221573&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409302389&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409359932&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409409318&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409496649&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409648766&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409823248&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409904061&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409969039&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409987315&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409987739&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409989269&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1409992648&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410063411&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410071690&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410075283&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410267687&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410428949&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410432803&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410441073&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410574097&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410599072&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410604096&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410613570&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410665944&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410773993&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410778205&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410785898&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410919199&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410938495&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410963563&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1410964764&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411035473&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411114745&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411120037&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411279460&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411383610&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411392856&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411466134&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411553138&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411630816&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411645951&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411715873&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411778414&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411822823&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411824035&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411976997&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1411996685&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412067308&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412073907&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412157378&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412163915&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412238985&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412259051&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412331669&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412342486&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412391228&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412399712&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412411892&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412489274&from=ild&uid=ST250DM000-1BD141_5VY8JRM4","hxxp://isearch.omiga-plus.com/?type=hppp&ts=1412505387&from=ild&uid=ST250DM000-1BD141_5VY8JRM4"
    CHR Profile: C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Drive) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-23]
    CHR Extension: (YouTube) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
    CHR Extension: (Adblock Plus) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-07-21]
    CHR Extension: (Google Search) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
    CHR Extension: (Stopwatch) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggnidjbcahhbnleinchgobfnabopeioh [2015-07-30]
    CHR Extension: (Google Docs Offline) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-17]
    CHR Extension: (Unlimited Free VPN - Betternet) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjknjjomckknofjidppipffbpoekiipm [2016-05-25]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
    CHR Extension: (Gmail) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-26]
    CHR Profile: C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1
    CHR Extension: (Google Slides) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-12-03]
    CHR Extension: (Google Docs) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-12-03]
    CHR Extension: (Google Drive) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-03]
    CHR Extension: (YouTube) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-03]
    CHR Extension: (Google Search) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-03]
    CHR Extension: (Google Sheets) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-12-03]
    CHR Extension: (Chrome Remote Desktop) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2016-07-21]
    CHR Extension: (Google Docs Offline) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-25]
    CHR Extension: (AdBlock) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-07-08]
    CHR Extension: (Avast Online Security) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-07-27]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-25]
    CHR Extension: (Gmail) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-12-03]
    CHR Profile: C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 2
    CHR Extension: (Chrome Web Store Payments) - C:\Users\KBS-3\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-25]
    CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AdobeARMservice; C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [82128 2016-06-25] (Adobe Systems Incorporated) [File not signed]
    S4 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [257416 2013-09-13] (Adobe Systems Incorporated) [File not signed]
    S3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [45744 2015-11-05] (Microsoft Corporation) [File not signed]
    R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-07-25] (AVAST Software)
    S4 BstHdAndroidSvc; C:\Program Files\BlueStacks\HD-Service.exe [433880 2015-05-07] (BlueStack Systems, Inc.)
    S4 BstHdLogRotatorSvc; C:\Program Files\BlueStacks\HD-LogRotatorService.exe [413400 2015-05-07] (BlueStack Systems, Inc.)
    S4 BstHdUpdaterSvc; C:\Program Files\BlueStacks\HD-UpdaterService.exe [806616 2015-05-07] (BlueStack Systems, Inc.)
    R2 chromoting; C:\Program Files\Google\Chrome Remote Desktop\52.0.2743.48\remoting_host.exe [76616 2016-06-20] (Google Inc.)
    S2 clr_optimization_v4.0.30319_32; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [105144 2015-11-05] (Microsoft Corporation) [File not signed]
    S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1126080 2016-03-01] (Disc Soft Ltd)
    S3 EasyAntiCheat; C:\Windows\system32\EasyAntiCheat.exe [245544 2016-06-30] (EasyAntiCheat Ltd) [File not signed]
    S4 Fax; C:\Windows\system32\fxssvc.exe [567808 2016-07-26] () [File not signed]
    R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [919184 2015-05-28] (NVIDIA Corporation) [File not signed]
    S2 gupdate; C:\Program Files\Google\Update\GoogleUpdate.exe [107848 2015-06-21] (Google Inc.) [File not signed]
    S3 gupdatem; C:\Program Files\Google\Update\GoogleUpdate.exe [107848 2015-06-21] (Google Inc.) [File not signed]
    R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation) [File not signed]
    R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation) [File not signed]
    R2 LMS; C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [277824 2012-07-17] (Intel Corporation) [File not signed]
    S3 Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [64856 2009-02-26] (Microsoft Corporation) [File not signed]
    S4 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe [146888 2016-06-29] (Mozilla Foundation) [File not signed]
    S4 msiserver; C:\Windows\System32\msiexec.exe [117760 2016-04-14] (Microsoft Corporation) [File not signed]
    R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1893008 2015-05-28] (NVIDIA Corporation)
    R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [20694160 2015-05-28] (NVIDIA Corporation)
    R2 nvsvc; C:\Windows\system32\nvvsvc.exe [672064 2015-05-28] (NVIDIA Corporation) [File not signed]
    S3 odserv; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [440696 2011-07-20] (Microsoft Corporation) [File not signed]
    S3 Origin Client Service; C:\Program Files\Origin\OriginClientService.exe [2120712 2016-05-26] (Electronic Arts) [File not signed]
    S3 ose; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation) [File not signed]
    S4 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.) [File not signed]
    S4 Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [835776 2015-02-19] (Valve Corporation) [File not signed]
    S4 Stereo Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [410768 2015-05-28] (NVIDIA Corporation) [File not signed]
    S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
    S4 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH) [File not signed]
    R2 UNS; C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [365376 2012-07-17] (Intel Corporation) [File not signed]
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
    R2 wlidsvc; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [1713904 2012-07-17] (Microsoft Corp.) [File not signed]

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 AsusVBus; C:\Windows\System32\DRIVERS\AsusVBus.sys [33048 2015-07-31] (Windows (R) Win 7 DDK provider)
    R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [34008 2016-07-25] (AVAST Software)
    R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [35096 2016-07-26] (AVAST Software)
    R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [91680 2016-07-25] (AVAST Software)
    R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [91232 2016-07-25] (AVAST Software)
    R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [60424 2016-07-25] (AVAST Software)
    R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [816304 2016-07-25] (AVAST Software)
    R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [438296 2016-07-25] (AVAST Software)
    R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [118152 2016-07-25] (AVAST Software)
    R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [222056 2016-07-25] (AVAST Software)
    R3 ATP; C:\Windows\System32\DRIVERS\AsusTP.sys [66872 2015-07-31] (ASUS Corporation)
    R2 BstHdDrv; C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys [131288 2015-05-07] (BlueStack Systems)
    S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
    S3 dg_ssudbus; C:\Windows\System32\DRIVERS\ssudbus.sys [108032 2016-04-25] (Samsung Electronics Co., Ltd.)
    R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [26168 2016-03-16] (Disc Soft Ltd)
    R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [40504 2016-03-16] (Disc Soft Ltd)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2014-11-10] ()
    S3 igfx; C:\Windows\System32\DRIVERS\igdkmd32.sys [7401984 2012-08-03] (Intel Corporation) [File not signed]
    R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation)
    S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1174880 2011-03-29] (Ralink Technology Corp.)
    R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [18576 2015-05-28] (NVIDIA Corporation)
    R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [32912 2015-05-28] (NVIDIA Corporation)
    S3 SecurAble; C:\Windows\system32\securable.sys [15464 2016-03-11] (Gibson Research Corp.)
    S3 ssudmdm; C:\Windows\System32\DRIVERS\ssudmdm.sys [199936 2016-04-25] (Samsung Electronics Co., Ltd.)
    S3 ssudserd; C:\Windows\System32\DRIVERS\ssudserd.sys [184192 2014-10-13] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-30 11:05 - 2016-07-30 11:06 - 00037425 _____ C:\Users\KBS-3\Desktop\FRST.txt
    2016-07-30 11:04 - 2016-07-30 11:05 - 00000000 ____D C:\FRST
    2016-07-30 11:04 - 2016-07-30 11:04 - 01744384 _____ (Farbar) C:\Users\KBS-3\Desktop\FRST.exe
    2016-07-30 11:01 - 2016-07-30 11:01 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\KBS-3\Desktop\rkill.exe
    2016-07-30 10:57 - 2016-07-30 11:03 - 00005322 _____ C:\Users\KBS-3\Desktop\Rkill.txt
    2016-07-28 09:32 - 2016-07-28 09:32 - 00509440 _____ (Tech Support Guy System) C:\Users\KBS-3\Desktop\SysInfo.exe
    2016-07-27 10:10 - 2016-07-27 10:11 - 06743552 _____ (ESET spol. s r.o.) C:\Users\KBS-3\Desktop\esetonlinescanner_enu.exe
    2016-07-26 19:18 - 2016-07-26 19:18 - 00001124 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
    2016-07-26 19:18 - 2016-07-26 19:18 - 00001124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
    2016-07-26 19:17 - 2016-07-26 19:17 - 00035096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
    2016-07-26 19:00 - 2016-07-26 19:00 - 00005758 _____ C:\Users\KBS-3\Downloads\exe.reg
    2016-07-25 20:06 - 2016-07-25 20:08 - 00002243 _____ C:\Windows\epplauncher.mif
    2016-07-25 20:06 - 2016-07-25 20:06 - 11640664 _____ (Microsoft Corporation) C:\Users\KBS-3\Downloads\mseinstall.exe
    2016-07-25 19:56 - 2016-07-25 19:50 - 00319248 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
    2016-07-25 19:52 - 2016-07-25 19:52 - 00000000 ____D C:\Users\KBS-3\AppData\Roaming\AVAST Software
    2016-07-25 19:52 - 2016-07-25 19:52 - 00000000 ____D C:\Users\KBS-3\AppData\Local\CEF
    2016-07-25 19:51 - 2016-07-25 19:56 - 00002081 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
    2016-07-25 19:51 - 2016-07-25 19:56 - 00000350 ____H C:\Windows\Tasks\avast! Emergency Update.job
    2016-07-25 19:51 - 2016-07-25 19:51 - 00438296 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
    2016-07-25 19:51 - 2016-07-25 19:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
    2016-07-25 19:51 - 2016-07-25 19:51 - 00000000 ____D C:\Program Files\Common Files\AV
    2016-07-25 19:51 - 2016-07-25 19:50 - 00816304 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
    2016-07-25 19:51 - 2016-07-25 19:50 - 00222056 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
    2016-07-25 19:51 - 2016-07-25 19:50 - 00118152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
    2016-07-25 19:51 - 2016-07-25 19:50 - 00091680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
    2016-07-25 19:51 - 2016-07-25 19:50 - 00091232 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
    2016-07-25 19:51 - 2016-07-25 19:50 - 00060424 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
    2016-07-25 19:51 - 2016-07-25 19:50 - 00034008 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
    2016-07-25 19:50 - 2016-07-26 19:17 - 00000000 ____D C:\Program Files\AVAST Software
    2016-07-25 19:50 - 2016-07-25 19:50 - 00921280 _____ (Microsoft Corporation) C:\Windows\ucrtbase.dll
    2016-07-25 19:50 - 2016-07-25 19:50 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
    2016-07-25 19:49 - 2016-07-26 19:17 - 00000000 ____D C:\ProgramData\AVAST Software
    2016-07-25 19:49 - 2016-07-25 19:49 - 06253640 _____ (AVAST Software) C:\Users\KBS-3\Downloads\avast_free_antivirus_setup_online_cnet_2.exe
    2016-07-25 10:34 - 2016-07-25 10:34 - 00000000 ____D C:\Users\KBS-3\AppData\Local\ESET
    2016-07-25 10:33 - 2016-07-25 10:34 - 06759552 ____N (ESET spol. s r.o.) C:\Users\KBS-3\Downloads\esetonlinescanner_enu.exe
    2016-07-25 10:14 - 2016-07-25 10:14 - 00000000 ____D C:\Program Files\ESET
    2016-07-25 10:09 - 2016-07-25 10:09 - 03017376 _____ (ESET) C:\Users\KBS-3\Downloads\eset_nod32_antivirus_live_installer.exe
    2016-07-25 00:55 - 2016-07-27 12:23 - 13484522 _____ C:\Users\KBS-3\Desktop\Polaris.zip
    2016-07-24 21:43 - 2016-07-24 21:43 - 03712064 ____N C:\Users\KBS-3\Downloads\AdwCleaner.exe
    2016-07-24 21:32 - 2016-07-24 21:45 - 00000016 _____ C:\Windows\dmlconf.dat
    2016-07-24 20:48 - 2016-07-24 20:50 - 00000000 ____D C:\Users\New\AppData\Local\CrashDumps
    2016-07-24 20:16 - 2016-07-25 18:11 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2016-07-24 20:07 - 2016-07-26 22:07 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
    2016-07-24 20:07 - 2016-07-24 20:07 - 00001066 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2016-07-24 20:07 - 2016-07-24 20:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2016-07-24 20:07 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
    2016-07-24 20:07 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
    2016-07-24 20:07 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
    2016-07-24 17:00 - 2016-07-26 19:13 - 00000016 _____ C:\Windows\system32\dmlconf.dat
    2016-07-24 16:59 - 2016-07-24 16:59 - 00000012 _____ C:\Windows\explorer.exe.local
    2016-07-21 11:42 - 2016-07-21 11:42 - 00000000 ____D C:\Users\KBS-3\AppData\Local\pip
    2016-07-21 11:41 - 2016-07-21 11:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7
    2016-07-21 11:35 - 2016-07-24 20:06 - 00000000 ____D C:\Users\KBS-3\Desktop\map
    2016-07-21 03:02 - 2016-07-21 03:02 - 00000000 ____D C:\Windows\EOONotify
    2016-07-18 11:14 - 2016-06-26 03:01 - 00037096 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
    2016-07-18 11:14 - 2016-06-26 02:54 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
    2016-07-18 11:14 - 2016-06-26 02:53 - 01004544 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
    2016-07-18 11:14 - 2016-06-26 02:53 - 00779776 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
    2016-07-18 11:14 - 2016-06-26 02:53 - 00297472 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.dll
    2016-07-18 11:14 - 2016-06-26 02:53 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\inetpp.dll
    2016-07-18 11:14 - 2016-06-26 02:42 - 00039424 _____ (Microsoft Corporation) C:\Windows\system32\wpnpinst.exe
    2016-07-18 11:14 - 2016-06-26 02:41 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.exe
    2016-07-18 11:14 - 2016-06-26 02:41 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\inetppui.dll
    2016-07-18 11:14 - 2016-06-22 20:06 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
    2016-07-18 11:14 - 2016-06-18 01:23 - 01288192 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
    2016-07-18 11:14 - 2016-06-18 01:23 - 00468992 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
    2016-07-18 11:14 - 2016-06-18 01:23 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
    2016-07-18 11:14 - 2016-06-18 01:23 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
    2016-07-18 11:14 - 2016-06-18 01:23 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
    2016-07-18 11:14 - 2016-06-18 01:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
    2016-07-18 11:14 - 2016-06-14 21:57 - 02398208 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
    2016-07-18 11:14 - 2016-06-11 11:48 - 00346320 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
    2016-07-18 11:14 - 2016-06-11 02:09 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2016-07-18 11:14 - 2016-06-11 02:09 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
    2016-07-18 11:14 - 2016-06-11 01:54 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
    2016-07-18 11:14 - 2016-06-11 01:53 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
    2016-07-18 11:14 - 2016-06-11 01:53 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
    2016-07-18 11:14 - 2016-06-11 01:53 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
    2016-07-18 11:14 - 2016-06-11 01:52 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
    2016-07-18 11:14 - 2016-06-11 01:47 - 02287104 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
    2016-07-18 11:14 - 2016-06-11 01:46 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
    2016-07-18 11:14 - 2016-06-11 01:45 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
    2016-07-18 11:14 - 2016-06-11 01:42 - 20348928 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2016-07-18 11:14 - 2016-06-11 01:42 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
    2016-07-18 11:14 - 2016-06-11 01:41 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
    2016-07-18 11:14 - 2016-06-11 01:41 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
    2016-07-18 11:14 - 2016-06-11 01:41 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2016-07-18 11:14 - 2016-06-11 01:41 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
    2016-07-18 11:14 - 2016-06-11 01:35 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
    2016-07-18 11:14 - 2016-06-11 01:32 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
    2016-07-18 11:14 - 2016-06-11 01:27 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
    2016-07-18 11:14 - 2016-06-11 01:26 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
    2016-07-18 11:14 - 2016-06-11 01:24 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
    2016-07-18 11:14 - 2016-06-11 01:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
    2016-07-18 11:14 - 2016-06-11 01:21 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
    2016-07-18 11:14 - 2016-06-11 01:19 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
    2016-07-18 11:14 - 2016-06-11 01:14 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
    2016-07-18 11:14 - 2016-06-11 01:12 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
    2016-07-18 11:14 - 2016-06-11 01:10 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
    2016-07-18 11:14 - 2016-06-11 01:09 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
    2016-07-18 11:14 - 2016-06-11 01:09 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
    2016-07-18 11:14 - 2016-06-11 00:58 - 13806080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
    2016-07-18 11:14 - 2016-06-11 00:45 - 02392576 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
    2016-07-18 11:14 - 2016-06-11 00:42 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
    2016-07-18 11:14 - 2016-06-11 00:41 - 01315840 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
    2016-07-11 22:12 - 2016-07-11 22:12 - 00000000 ____D C:\Sims 4
    2016-07-11 17:29 - 2016-07-24 18:29 - 00000000 ____D C:\Users\KBS-3\Desktop\[Movies]
    2016-07-11 16:05 - 2016-07-11 16:05 - 00000000 ____D C:\Users\KBS-3\AppData\LocalLow\uTorrent
    2016-07-10 23:37 - 2016-07-10 23:38 - 00000000 ____D C:\Users\KBS-3\Desktop\billy
    2016-07-10 23:31 - 2016-07-10 23:36 - 54183859 _____ C:\Users\KBS-3\Desktop\ResEvil5.exe
    2016-07-10 19:11 - 2016-07-10 19:11 - 00003521 _____ C:\Users\KBS-3\Desktop\favicomatic.zip
    2016-07-10 10:19 - 2016-07-10 10:19 - 00000000 ____D C:\Program Files\Sublime Text 3
    2016-07-08 17:45 - 2016-07-11 22:21 - 00000000 ____D C:\Users\KBS-3\Desktop\MovieHp
    2016-06-30 22:38 - 2016-06-30 22:36 - 00245544 _____ (EasyAntiCheat Ltd) C:\Windows\system32\EasyAntiCheat.exe

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-30 11:02 - 2009-07-14 11:34 - 00023504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-07-30 11:02 - 2009-07-14 11:34 - 00023504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-07-30 10:52 - 2015-01-31 21:49 - 00000000 ____D C:\Program Files\Steam
    2016-07-30 10:51 - 2016-06-23 15:48 - 00000000 ____D C:\Users\KBS-3\AppData\Local\CrashDumps
    2016-07-30 10:50 - 2015-09-14 21:37 - 00000000 ____D C:\ProgramData\ASUS Smart Gesture
    2016-07-30 10:50 - 2012-12-23 19:54 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2016-07-30 10:49 - 2009-07-14 11:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-07-28 10:09 - 2012-12-23 21:28 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2016-07-28 09:47 - 2012-12-23 19:54 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2016-07-28 09:35 - 2016-05-04 00:35 - 00000270 _____ C:\Windows\Tasks\{01682019-08C3-6885-1229-0E52C28F08D7}.job
    2016-07-27 12:21 - 2016-04-20 23:08 - 00000000 ____D C:\Users\KBS-3\Desktop\HPMUSIC
    2016-07-27 10:06 - 2015-06-24 00:56 - 00000000 ____D C:\AdwCleaner
    2016-07-27 08:49 - 2016-05-11 10:21 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
    2016-07-27 08:48 - 2012-12-26 16:26 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\recdisc.exe
    2016-07-26 23:47 - 2016-06-09 14:26 - 00000000 ____D C:\Users\New\Desktop\theme
    2016-07-26 23:40 - 2012-12-23 18:57 - 00000000 ____D C:\Users\KBS-3
    2016-07-26 23:39 - 2016-05-26 14:54 - 00000000 ____D C:\Users\KBS-3\Desktop\WEB
    2016-07-26 23:39 - 2016-01-13 23:58 - 00000000 ____D C:\Users\KBS-3\Desktop\WINOFF
    2016-07-26 23:39 - 2015-01-13 23:39 - 00000000 ___SD C:\Users\KBS-3\Documents\My Web Sites
    2016-07-26 23:38 - 2016-06-17 01:00 - 00000000 ____D C:\Users\KBS-3\Desktop\Polaris
    2016-07-26 22:51 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\system32\migwiz
    2016-07-26 21:59 - 2014-10-11 21:58 - 00000000 ____D C:\Program Files\QuickTime
    2016-07-26 21:58 - 2015-03-09 10:05 - 00000000 ____D C:\Program Files\Origin
    2016-07-26 21:56 - 2016-03-16 16:32 - 00000000 ____D C:\Program Files\Mount&Blade Warband
    2016-07-26 21:56 - 2012-12-23 19:42 - 00000000 ____D C:\Program Files\Microsoft Visual FoxPro 9
    2016-07-26 21:55 - 2015-10-23 17:42 - 00000000 ____D C:\Program Files\Web Publish
    2016-07-26 21:55 - 2014-02-08 19:26 - 00000000 ____D C:\Program Files\WinRAR
    2016-07-26 21:55 - 2009-07-14 14:50 - 00000000 ____D C:\Program Files\Windows Journal
    2016-07-26 21:55 - 2009-07-14 11:52 - 00000000 ____D C:\Program Files\Windows Sidebar
    2016-07-26 21:05 - 2015-07-31 23:11 - 00000000 ____D C:\Program Files\Free Download Manager
    2016-07-26 21:04 - 2009-07-14 11:52 - 00000000 ____D C:\Program Files\DVD Maker
    2016-07-26 21:02 - 2015-05-25 21:01 - 00000000 ____D C:\Program Files\BlueStacks
    2016-07-26 20:32 - 2012-12-26 16:27 - 00567808 _____ C:\Windows\system32\FXSSVC.exe
    2016-07-26 19:42 - 2012-12-23 19:50 - 00000000 ____D C:\Program Files\7-Zip
    2016-07-26 19:18 - 2009-07-14 06:41 - 00055296 _____ C:\Windows\system32\rundll32.exe
    2016-07-26 14:24 - 2012-12-23 19:25 - 00406184 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
    2016-07-25 18:44 - 2015-03-10 14:02 - 00365398 _____ C:\Windows\ntbtlog.txt
    2016-07-25 00:59 - 2014-05-08 17:10 - 00013312 ___SH C:\Users\KBS-3\Thumbs.db
    2016-07-24 23:30 - 2014-11-16 10:52 - 00000000 ____D C:\Photo
    2016-07-24 21:45 - 2015-08-22 11:29 - 00001025 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2016-07-24 21:45 - 2012-12-23 19:55 - 00001252 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2016-07-24 20:32 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\Resources
    2016-07-24 20:14 - 2016-05-02 10:55 - 00475136 ___SH C:\Users\KBS-3\Desktop\Thumbs.db
    2016-07-24 20:13 - 2014-02-10 17:14 - 00000000 ____D C:\Windows\pss
    2016-07-24 19:05 - 2016-05-25 16:42 - 00000000 ____D C:\Users\KBS-3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
    2016-07-24 16:58 - 2012-12-23 19:06 - 00786558 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-07-24 16:58 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\inf
    2016-07-21 11:18 - 2016-05-27 01:35 - 00000000 ____D C:\ProgramData\MEGAsync
    2016-07-21 03:03 - 2015-04-04 15:09 - 00000000 ___SD C:\Windows\system32\GWX
    2016-07-20 16:21 - 2012-12-23 19:52 - 00000000 ____D C:\Users\KBS-3\AppData\Roaming\vlc
    2016-07-18 22:56 - 2014-05-15 16:38 - 00000000 ____D C:\Windows\rescache
    2016-07-18 21:05 - 2012-12-23 20:10 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
    2016-07-18 20:50 - 2009-07-14 11:33 - 03764360 _____ C:\Windows\system32\FNTCACHE.DAT
    2016-07-18 20:48 - 2014-12-11 12:17 - 00000000 ____D C:\Windows\system32\appraiser
    2016-07-18 11:35 - 2013-07-31 16:39 - 00000000 ____D C:\Windows\system32\MRT
    2016-07-18 11:27 - 2012-12-23 20:01 - 141983760 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2016-07-18 10:48 - 2012-12-23 19:54 - 00000000 ____D C:\Program Files\Google
    2016-07-18 10:35 - 2016-05-04 11:35 - 00000222 _____ C:\Users\KBS-3\AppData\Roaming\WB.CFG
    2016-07-11 23:30 - 2014-02-09 12:32 - 00000000 ____D C:\Users\KBS-3\AppData\Roaming\uTorrent
    2016-07-11 15:41 - 2016-06-22 23:50 - 13540917 _____ C:\Users\KBS-3\Desktop\lion.zip
    2016-07-10 19:20 - 2014-06-27 19:39 - 00000132 _____ C:\Users\KBS-3\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2016-07-10 10:57 - 2012-12-23 21:29 - 00000000 ____D C:\Users\KBS-3\AppData\Roaming\Adobe
    2016-07-10 10:19 - 2016-05-12 15:34 - 00000000 ____D C:\Users\KBS-3\AppData\Local\Sublime Text 3
    2016-07-08 23:34 - 2016-06-24 17:03 - 00000000 ____D C:\Users\KBS-3\Desktop\raw-image
    2016-07-08 10:16 - 2015-08-22 11:29 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
    2016-07-07 17:52 - 2016-06-29 01:12 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2016-06-30 23:22 - 2015-03-11 16:29 - 00000000 ____D C:\ProgramData\Package Cache

    ==================== Files in the root of some directories =======

    2014-06-27 19:39 - 2016-07-10 19:20 - 0000132 _____ () C:\Users\KBS-3\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2014-10-26 11:36 - 2014-10-26 11:36 - 0000053 _____ () C:\Users\KBS-3\AppData\Roaming\Camdata.ini
    2014-10-26 11:36 - 2014-10-26 11:36 - 0000408 _____ () C:\Users\KBS-3\AppData\Roaming\CamLayout.ini
    2014-10-26 11:36 - 2014-10-26 11:36 - 0000408 _____ () C:\Users\KBS-3\AppData\Roaming\CamShapes.ini
    2014-10-26 11:36 - 2014-10-26 11:36 - 0004535 _____ () C:\Users\KBS-3\AppData\Roaming\CamStudio.cfg
    2016-03-09 21:02 - 2016-03-09 21:02 - 0000055 _____ () C:\Users\KBS-3\AppData\Roaming\MouseServer.ini
    2016-01-01 13:23 - 2016-01-01 13:29 - 0000077 _____ () C:\Users\KBS-3\AppData\Roaming\Rim.Desktop.Exception.log
    2016-01-01 13:21 - 2016-01-01 13:21 - 0001147 _____ () C:\Users\KBS-3\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
    2016-01-01 13:23 - 2016-01-01 13:29 - 0000077 _____ () C:\Users\KBS-3\AppData\Roaming\Rim.DesktopHelper.Exception.log
    2014-10-26 11:34 - 2014-10-26 11:34 - 0000096 _____ () C:\Users\KBS-3\AppData\Roaming\version2.xml
    2016-05-04 11:35 - 2016-07-18 10:35 - 0000222 _____ () C:\Users\KBS-3\AppData\Roaming\WB.CFG
    2014-09-08 18:09 - 2014-10-11 20:06 - 0004608 _____ () C:\Users\KBS-3\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2014-07-20 19:08 - 2014-07-20 19:08 - 0000000 _____ () C:\Users\KBS-3\AppData\Local\{956B3871-0ADA-46CE-A2D8-2A0B21D337E8}

    Files to move or delete:
    ====================
    C:\Windows\Tasks\{01682019-08C3-6885-1229-0E52C28F08D7}.job


    Some files in TEMP:
    ====================
    C:\Users\KBS-3\AppData\Local\Temp\libeay32.dll
    C:\Users\KBS-3\AppData\Local\Temp\msvcr120.dll
    C:\Users\KBS-3\AppData\Local\Temp\sqlite3.dll


    Some zero byte size files/folders:
    ==========================
    C:\Windows\MSJava.DLL

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    ATTENTION: ==> Could not access BCD.


    LastRegBack: 2016-06-28 12:55

    ==================== End of FRST.txt ============================
     

    Attached Files:

  5. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    One thing to add, earlier today, i tried to install a game, then I found out that my Windows Installer have been disabled, so I turn it back on, then started it, almost immediately Avast! shows up saying Threat has been blocked, so i guess my Windows Installer has been affected as well... is there any way to fix this ?
    Thanks
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Thanks for those logs... Google Chrome is exploited, do not use it for now...

    Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
    NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

    Next,

    Download AdwCleaner by Xplode onto your Desktop.

    • Double click on Adwcleaner.exe to run the tool.
    • Click on the Scan in the Actions box
    • Please wait fot the scan to finish..
    • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
    • Click on the Cleaning box.
    • Next click OK on the "Closing Programs" pop up box.
    • Click OK on the Information box & again OK to allow the necessary reboot
    • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

    Next,

    Please open Malwarebytes Anti-Malware.

    • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
    • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
    • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the Scan is complete Apply Actions to any found entries.
    • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
    • After the restart once you are back at your desktop, open MBAM once more.

    To get the log from Malwarebytes do the following:

    • Click on the History tab > Application Logs.
    • Double click on the Scan log which shows the Date and time of the scan just performed.
    • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

    Next,

    Ive also attached TPM_Base_Services.zip Download and extract that folder to your Desktop (do not extract anywhere else) so you have TPM_Base_Services.reg on your Desktop...
    Double click to run that .reg file, agree any prompts or merges... Re-boot when complete...

    Next,

    Re-install Google Chrome: If your Chrome Bookmarks are important do this first:

    Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

    Continue for a clean install:

    Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

    Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

    Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

    For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

    How to show hidden files and folders for windows vista upwards: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

    Install Google Chrome from here: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

    Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

    Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/...nk-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en

    Next,

    Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

    Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper

    Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
    From the left hand pane select "Flush DNS"
    From the main interface select the dropdown under "Choose a DNS Server"
    From the list select either "Google Public DNS" or "Open DNS"
    From the left hand pane select "Apply DNS"
    When done re-boot your system....

    Next,

    Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....

    Post all produced logs, also let me know if there are any remaining issues or concerns...

    Thank you,

    Kevin...
     

    Attached Files:

  7. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    Wow that's a long fix , must have taken quite a lot of your time, which is very much appreciated. I'm away right now, will be posting all the result from the fix you've given in a few hours.
    Thanks
     
  8. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    Here are the result of all the scans,

    one thing though, when im scanning with MalwareBytes an error shows up
    "MalwareBytes was unable to load the Anti-Rootkit Driver. Error code:20026"
    I clicked "yes" for continue the scan anyway...
    other than that, its all there

    Also, things are still not working properly, I pinned Task Manager to my taskbar way back before this virus hit me. Since my pc was infected, it says that this shortcut destination may have been moved or deleted, if i try to open Task Manager from Ctrl+Alt+Delete, it shows nothing, even until now.Will we fix this issue later on? Thanks Anyway
     

    Attached Files:

  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Download Portable Windows Repair (all in one) from one of the following:

    http://www.tweaking.com/content/page...ll_in_one.html

    http://www.majorgeeks.com/Tweaking.c...ble_d7222.html

    http://www.bleepingcomputer.com/down...-one-portable/

    Unzip the contents into a newly created folder on your desktop.

    Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

    From the main GUI do the following:

    Select Tab 5 to make Registry backup, use the recommended option...

    [​IMG]

    When complete select "Repairs" tab, from there select "Open Repairs" tab..

    From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab....

    [​IMG]

    When complete re-boot your system, see if there is any improvement...

    Logs are saved to the Tweaking.com folder on your Desktop..

    Next,

    Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post then two new logs....

    Thanks,

    Kevin...
     
  10. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    Thanks for the reply, will be doing that in about 3-4 hours :)
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Thanks for the update..
     
  12. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    So, i have downloaded and run the Windows Repair exactly like your steps above, but i can see from the log that the fix has failed to start. I have also tried to do it in SafeMode with Networking, but it has the same result, i havent done the FRST scan though.

    Here are the 2 Windows Repair logs
     

    Attached Files:

  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Ok, something appears to be lurking within.... Leave FRST for now and run the following:

    Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

    • Quit all running programs.
    • For Windows XP, double-click to start.
    • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
    • Read and accept the EULA (End User Licene Agreement)
    • Click Scan to scan the system.
    • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
    • Close the program > Don't Fix anything!
     
  14. RickyGani

    RickyGani Thread Starter

    Joined:
    Jul 24, 2016
    Messages:
    29
    Here's the result
     

    Attached Files:

  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Tweaking.com Registry Backup

    • Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop.
    • Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All".
    • Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C)", and click the "Make New Folder" button.
    • Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract".
    • From the newly extracted files, right click on [img=[URL]https://i.imgur.com/hPxdDvj.png][/URL] and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.
      (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.)
    • A screen like this should appear:

      [​IMG]
    • Type a custom name in Backup Name if you want, then choose Backup Now.
    • If backup is successful, a message will appear at the lower half of the screen with an option to view logs.
    • The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings.
    • Close Tweaking.com Registry Backup when done.

    Next,

    Double-click RogueKiller.exe to run again. (Vista/7/8/10 right-click and select Run as Administrator)

    When "initializing/pre-scan” completes press the Scan button, this may take a few minutes to complete.

    When the scan completes open the Processes tab and locate the following detections:

    [VT.Unknown] nvvsvc.exe(852) -- C:\Windows\System32\nvvsvc.exe[-] -> Found
    [VT.Unknown] armsvc.exe(1996) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[-] -> Found
    [VT.Unknown] GfExperienceService.exe(2192) -- C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[-] -> Found
    [VT.Unknown] HeciServer.exe(2564) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe[-] -> Found
    [VT.Unknown] Jhi_service.exe(2740) -- C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe[-] -> Found
    [VT.Unknown] WLIDSVC.EXE(3388) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE[-] -> Found
    [VT.Unknown] firefox.exe(5424) -- C:\Program Files\Mozilla Firefox\firefox.exe[-] -> Found
    [VT.Unknown] LMS.exe(4012) -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[-] -> Found
    [VT.Unknown] UNS.exe(2764) -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[-] -> Found


    Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked


    Open the Registry tab and locate the following detections:

    [Suspicious.Path|VT.Unknown] HKEY_CLASSES_ROOT\CLSID\{1F876ED4-9204-4DF4-86FC-B73067A74676} (C:\Users\KBS-3\AppData\Roaming\Nagravision\PBM\npNMPCBrowserPlugin.dll) -> Found
    [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 118.136.64.4 202.73.99.4 202.73.99.2 ([Indonesia][-][-]) -> Found
    [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 118.136.64.4 202.73.99.4 202.73.99.2 ([Indonesia][-][-]) -> Found
    [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 118.136.64.4 202.73.99.4 202.73.99.2 ([Indonesia][-][-]) -> Found
    [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A7DACEC8-4582-489E-B066-0944FEA672C3} | DhcpNameServer : 118.136.64.4 202.73.99.4 202.73.99.2 ([Indonesia][-][-]) -> Found
    [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A7DACEC8-4582-489E-B066-0944FEA672C3} | DhcpNameServer : 118.136.64.4 202.73.99.4 202.73.99.2 ([Indonesia][-][-]) -> Found
    [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{A7DACEC8-4582-489E-B066-0944FEA672C3} | DhcpNameServer : 118.136.64.4 202.73.99.4 202.73.99.2 ([Indonesia][-][-]) -> Found
    [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | AntiVirusDisableNotify : 1 -> Found
    [PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | FirewallDisableNotify : 1 -> Found
    [PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | UpdatesDisableNotify : 1 -> Found


    Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked

    Open the Web Browsers tab and locate the following detections:

    [PUM.HomePage][FIREFX:Config] 2rcs5sq5.default : user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/_adwrldint_16_18&param1=1&param2=f=1&b=Firefox&cc=id&pa=Wincy&cd=2XzuyEtN2Y1L1QzuyDtDyEyCyD0D0BtBtB0B0Czy0A0FtAtAtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyEyBtAyC0EyEyCzytGyD0FyC0EtGyBzyyB0AtGtA0EtA0FtGyE0ByC0AtDzyyBtAyCtAtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0B0EtAyDtD0B0FtGzy0FtDyEtGyE0EtC0EtGzyzy0A0DtG0BtCtDzyyCtByDyC0E0FyCyB2QtN0A0LzuyE&cr=609242580&a=wncy_adwrldint_16_18&os_ver=6.1&os=Windows+7+Ultimate"); -> Found

    Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked

    Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.

    Next,

    Run RKill one more time and post that log also....
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1175272

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice