Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virut infection?


  • This topic is locked This topic is locked
4 replies to this topic

#1 olivia7

olivia7

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 28 May 2015 - 11:30 PM

I can't remember the exact order of what happened when, but as far as I can remember, here's basically what happened:

So, about a week ago I started noticing my computer acting weird. The first issue was that lines would appear on the screen, and the display would go all screwed up, the screen would go black for a second and then come back saying the display drivers had crashed and recovered. Last fall I had the same issue, which got more and more frequent until my graphics card died completely and had to be replaced. I'd had no problems up until now, and since the graphics card had been replaced recently, my first thought was that maybe I just needed to update the drivers. I went to the NVIDIA site, and saw that there was a newer driver than the one I had. I was able to download it fine, yet when I tried to install it, it kept telling me there was a 7-Zip error. I re-downloaded it several times and kept getting the same thing, and was never able to install it.

Next, Windows Explorer kept crashing and restarting itself constantly, and I got an error message from AVG that I wasn't fully protected, yet when I clicked the button to fix it, it would give me an error message (http://i.imgur.com/uX6YQ14.jpg) and not fix it. When I clicked the link in that message, it said the page couldn't be found. I realized the problems had started right after installing a bunch of Windows Update. I've had issues with Windows Updates screwing things up in the past, so I uninstalled them and restarted.

AVG was still giving me issues. At one point, I got this: http://i.imgur.com/hBtLVm6.jpg

so I tried to uninstall and reinstall AVG. It took a couple tries, but I finally was able to do it. After I was finally able to reinstall, it downloaded the latest updates and showed I was fully protected.

So I tried again to install the NVIDIA driver update. This time I got further than I did before, but this time I got a message saying the file was corrupt and to try downloading again, but if it still didn't work, I probably had a corrupt cabinet file. I tried downloading again, but still got the same message.

Then AVG turns itself off again, I get a message from Windows saying there was an error with the AVG installer service and it's been closed down. As soon as I close that message, it pops up again, and continues to do that every time I close it. I eventually just leave it up. I tried to restore Windows to an earlier point, but the earliest one in the list was only from a few minutes before, which wouldn't have done any good.

During all of this, my thought is that I must have a virus, and run all the usual scans. Nothing comes up on any of them, but I did some searching after the "corrupt cabinet file" message from NVIDIA, and a couple things led me to think the issue was my hard drive failing. A little after that, I get a message from Windows saying there's a hard drive failure and to run a scan. I do, but can't find the results after I restart, and things start getting worse. Windows Explorer doesn't seem to want to stay open, and it finally freezes to the point where I have to turn it off at the power switch. When I turn it back on, it comes up with the "Windows did not shut down properly, do you want to start in safe mode?" message. I click on safe mode, but when it boots up with it's not in safe mode. That happened a couple different times, where it said it would boot in safe mode, but then it didn't.

Thinking my hard drive is failing, I start backing up all my data onto an external hard drive. Most documents and pictures were already on there, but I decided to put the installation files of the programs I'd downloaded on there so I wouldn't have to download them again. Doing this, it takes waaaaaay longer to copy files than usual, and Windows Explorer restarts several times while I'm backing things up. Taking longer to copy files was one of the symptoms of a failing hard drive in the articles I'd found, so I'm thinking at this point that that's probably the issue. I still don't have everything backed up, though.

AVG starts giving me messages again. It has a link on the error message that says "find out more at the website" but when I click it, it says page not found. I do a little searching and find a couple reviews on CNET where apparently other people are having issues with the newest version of AVG, so I decide to uninstall it and try another anti-virus program. I go to uninstall it, but as soon as I click to uninstall, I get the message from Windows again that the AVG installer has failed and been shut down. As soon as I close it, it keeps popping up again, and I get the message from Windows again that there's a hard drive failure and to run a scan.

I run the scan again, and when the computer starts back up after, it asks me to validate my version of Windows. I've had the computer for 8 years, Windows came installed, so it's not a bootlegged version or anything. I finally managed to find my product key # to enter into the box where it asks, and it says it's been authenticated, but once it loads, Windows Explorer shut down and restarted almost immediately. Also, my wallpaper is gone and the desktop is just black. Soon after, I got a message saying an unauthorized change was made to Windows.

I start wondering again if maybe it's a virus and not the hard drive failing, and as a last resort, I decided to try ComboFix, which was introduced to me by a IT guy family friend years ago and has gotten rid of some pretty stubborn viruses in the past. At first it wouldn't run, but once it finally would, it didn't take too long before I got a message saying something along the lines of "ComboFix has been compromised, it's possible you're infected with the Virut virus". At that point I remembered the family friend who introduced me to ComboFix mentioning this website, so I searched for Virut here and found a thread with someone saying that it's not possible to get rid of Virut, you just have to reformat the computer and start clean. Here is that thread: http://www.bleepingcomputer.com/forums/t/295652/virut/

It was from five years ago, though, so I decided to do some searching and see if there'd been a fix for it that came out since then. Through AVG's website, I found a tool that's supposed to remove Virut, but it didn't find anything. A couple minutes ago I got a message from AVG, saying I needed to run the first scan, as if it had just been installed, which I found weird since I'd thought it was disabled.

Anyway, from what I saw on this site about Virut, it infects files, so if I were to reformat the computer and put the files I'd backed up back on it, it'd just reinfect it? Am I just out of luck when it comes to saving my files? I'd seen someone mention in that thread that if you have it, credit cards and banking could be compromised. Do I need to cancel my credit cards/bank account?

Also, I'd seen something else about a false positive in regards to Virut. Is it possible that that's the case? Could hard drive failure be mistaken for Virut? Or is that pretty unlikely and I most likely do have it? How do I find out for sure?

 

Just now, I got the AVG shutdown and then Windows hard disk problem messages again. Here are what they look like: http://i.imgur.com/heRoNBP.jpg

 

And again, as soon as I close them, they come right back up.

I'm not sure how detailed you guys need the specifications, so here's this: http://i.imgur.com/VzQYCt6.jpg

I'm just wondering where to go from here. Thanks to anyone who can help!

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-05-2015 01
Ran by Me (administrator) on HOME-PC on 29-05-2015 00:00:02
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(Prolific Technology Inc.) C:\Windows\System32\IoctlSvc.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(OsdMaestro) C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
() C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft® Corporation) C:\Program Files\Microsoft Works\WkCalRem.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Software Updater Beta\ksu.exe
() C:\Users\Me\Desktop\armadillo.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [OsdMaestro] => C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe [118784 2007-02-15] (OsdMaestro)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Dell Laser Printer 1110 SM_JB] => C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe [222088 2006-12-19] ()
HKLM\...\Run: [SunJavaUpdateReg] => C:\Windows\system32\jureg.exe [54936 2007-04-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [DivXMediaServer] => C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-04-15] (DivX, LLC)
HKLM\...\Run: [DivXUpdate] => C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-12] ()
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-04-23] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2673296 2015-04-08] (NVIDIA Corporation)
HKLM\...\Run: [QuickTime Plugin Install] => C:\Program Files\QuickTime\Plugins\DeleteMe1.exe [86016 2015-01-19] ()
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3745744 2015-05-18] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\Run: [KSS] => C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe [918824 2015-04-06] (Kaspersky Lab ZAO)
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: F - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {6ce2ac3a-4f05-11dd-9b08-001c258bcef8} - F:\LaunchU3.exe
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {b776ee48-e5fb-11e2-9919-001c258bcef8} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {cdde7375-0c83-11e4-bfc3-001c258bcef8} - H:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {fb792441-f118-11e0-8379-001c258bcef8} - F:\TL-Bootstrap.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky Software Updater Beta.lnk [2015-05-28]
ShortcutTarget: Kaspersky Software Updater Beta.lnk -> C:\Program Files\Kaspersky Lab\Kaspersky Software Updater Beta\ksu.exe (Kaspersky Lab ZAO)
Startup: C:\Users\Me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WkCalRem.LNK [2012-08-30]
ShortcutTarget: WkCalRem.LNK -> C:\Program Files\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
SearchScopes: HKLM -> {9A1FA604-C476-4D82-9926-38F90E1FF58E} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1698823969-2441902110-1068803011-1000 -> {9A1FA604-C476-4D82-9926-38F90E1FF58E} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
BHO: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [2013-05-06] (DivX, LLC)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-26] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-26] (Oracle Corporation)
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-07] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of  Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772
FF NewTab: about:blank
FF DefaultSearchEngine: YouTube
FF DefaultSearchEngine.US: YouTube
FF SelectedSearchEngine: TV
FF Homepage: https://www.google.com
FF Keyword.URL:
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_17_0_0_188.dll [2015-05-22] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] ()
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF Plugin: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 -> C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll [2013-05-06] (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2011-06-20] (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-26] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 -> C:\Program Files\Common Files\Motive\npMotive.dll [2010-04-30] (Alcatel-Lucent)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll [2009-11-13] (DivX, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\dictionarycom.xml [2013-12-31]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\greasemonkey-scripts.xml [2013-01-13]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\kickasstorrents.xml [2014-03-02]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\pirate-bay.xml [2013-01-13]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\thesaurus.xml [2013-08-01]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\torrentz-search.xml [2014-03-02]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\tv.xml [2013-01-13]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\urban-dictionary.xml [2013-01-13]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\searchplugins\youtube.xml [2013-01-13]
FF Extension: Toolbar Buttons - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688} [2013-01-13]
FF Extension: Forecastfox - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3} [2014-05-10]
FF Extension: Add to Search Bar - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\add-to-searchbox@maltekraus.de.xpi [2013-01-13]
FF Extension: Classic Theme Restorer (Customize Australis) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-10]
FF Extension: Duplicate in Tab Context Menu - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\DuplicateInTabContext@schuzak.jp.xpi [2015-01-25]
FF Extension: OneTab - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\extension@one-tab.com.xpi [2015-03-30]
FF Extension: FlashStopper - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\flashstopper@byo.co.il.xpi [2015-05-03]
FF Extension: Permanent List-all-tabs Button - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\listalltabs@sdrocking.com.xpi [2013-01-13]
FF Extension: Ponify - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\ponify@pterocorn.blogspot.com.xpi [2013-04-08]
FF Extension: Sort Tabs - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\sort-tabs@erikvold.com.xpi [2013-07-14]
FF Extension: Suspend background tabs - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\suspendbackgroundtabs@adblockplus.org.xpi [2013-07-14]
FF Extension: TiddlyFox extension for Firefox - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\tiddlyfox@tiddlywiki.org.xpi [2013-01-13]
FF Extension: Screengrab  (fix version) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{02450914-cdd9-410f-b1da-db004e18c671}.xpi [2013-01-13]
FF Extension: Stylish - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2013-08-18]
FF Extension: Googlebar Lite - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f}.xpi [2013-01-13]
FF Extension: Adblock Plus - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-10-20]
FF Extension: Greasemonkey - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013-01-13]
FF Extension: Menu Editor - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\5v684v4v.default-1358117003772\Extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}.xpi [2013-01-13]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-02-13]
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &video& - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013-05-15]

Chrome:
=======
CHR HomePage: Default -> hxxp://mysearch.avg.com?cid={9C454CE8-FF4E-48CF-8D07-394DCE819915}&mid=780c9225d805444dabd66204fa4f0c2f-e9cd41d7efe70928433a0a74c5f9ed1bb3fd0b3a&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2013-12-23 21:04:41&v=17.2.0.38&pid=safeguard&sg=&sap=hp
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\42.0.2311.135\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\42.0.2311.135\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\42.0.2311.135\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (DivX Player Netscape Plugin) - C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (Motive Plugin) - C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.90.5) - C:\Windows\system32\npDeployJava1.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-01-01]
CHR Extension: (YouTube) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-01-01]
CHR Extension: (Google Search) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-01-01]
CHR Extension: (Bookmark Manager) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-05-08]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-18]
CHR Extension: (Google Wallet) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Me\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-01-01]
CHR HKLM\...\Chrome\Extension: [ijmdocbmopmdoheajdkjdoklkibomacj] - C:\ProgramData\Download and Sa\ijmdocbmopmdoheajdkjdoklkibomacj.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-05-06]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3438544 2015-05-18] (AVG Technologies CZ, s.r.o.) [File not signed]
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [311792 2015-05-18] (AVG Technologies CZ, s.r.o.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [918160 2015-04-08] (NVIDIA Corporation)
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2007-09-19] (Hewlett-Packard) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 kss; C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe [918824 2015-04-06] (Kaspersky Lab ZAO)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-03-17] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [319488 2010-04-30] (Alcatel-Lucent) [File not signed]
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1878672 2015-04-08] (NVIDIA Corporation)
R2 PLFlash DeviceIoControl Service; C:\Windows\system32\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
R3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
S3 AresChatServer; C:\Program Files\Ares\chatServer.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 anvsnddrv; C:\Windows\System32\drivers\anvsnddrv.sys [32896 2012-05-17] (AnvSoft Inc.) [File not signed]
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.) [File not signed]
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [226784 2015-04-27] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [191968 2015-05-07] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [29664 2015-05-14] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [206816 2015-04-15] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [166880 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [213984 2015-05-04] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [42784 2014-05-08] (AVG Technologies)
R0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] () [File not signed]
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-04-14] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R0 speedfan; C:\Windows\System32\speedfan.sys [24184 2012-12-29] (Almico Software)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2014-09-22] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [X]
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-29 00:00 - 2015-05-29 00:02 - 00025398 _____ () C:\Users\Me\Desktop\FRST.txt
2015-05-28 23:58 - 2015-05-29 00:01 - 00000000 ____D () C:\FRST
2015-05-28 23:57 - 2015-05-29 00:02 - 00007119 _____ () C:\Users\Me\Desktop\bcp0.txt
2015-05-28 23:57 - 2015-05-28 23:57 - 00007304 _____ () C:\Users\Me\Desktop\pspbrwse.jbf
2015-05-28 23:55 - 2015-05-28 23:55 - 01147392 _____ (Farbar) C:\Users\Me\Desktop\FRST.exe
2015-05-28 23:46 - 2015-05-28 23:46 - 00001215 _____ () C:\Users\Me\Desktop\h.txt
2015-05-28 22:49 - 2015-05-28 22:49 - 03454000 _____ () C:\Users\Me\Desktop\armadillo.exe
2015-05-28 22:40 - 2015-05-28 22:40 - 00000938 _____ () C:\Users\Public\Desktop\Kaspersky Software Updater Beta.lnk
2015-05-28 22:40 - 2015-05-28 22:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Software Updater Beta
2015-05-28 22:38 - 2015-05-28 22:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Security Scan
2015-05-28 22:38 - 2015-05-28 22:37 - 00000898 _____ () C:\Users\Public\Desktop\Kaspersky Security Scan.lnk
2015-05-28 22:36 - 2015-05-28 22:40 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-05-28 22:36 - 2015-05-28 22:40 - 00000000 ____D () C:\Program Files\Kaspersky Lab
2015-05-28 22:30 - 2015-05-28 22:30 - 00716896 _____ (Kaspersky Lab) C:\Users\Me\Desktop\kas.exe
2015-05-28 22:23 - 2015-05-28 22:23 - 00000000 ____D () C:\Qoobox
2015-05-28 22:22 - 2015-05-28 22:22 - 00000000 ____D () C:\Windows\erdnt
2015-05-28 22:15 - 2015-05-28 22:15 - 00002628 _____ () C:\Users\Me\Desktop\legitcheck.hta
2015-05-28 21:45 - 2015-05-28 21:45 - 00000552 _____ () C:\Windows\system32\spsys.log
2015-05-28 21:41 - 2015-05-28 21:41 - 00000000 __SHD () C:\found.000
2015-05-28 19:50 - 2015-05-28 19:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CrystalDiskInfo
2015-05-28 19:49 - 2015-05-28 19:50 - 00000000 ____D () C:\Program Files\CrystalDiskInfo
2015-05-28 19:07 - 2015-05-28 19:07 - 01234456 _____ () C:\Users\Me\Desktop\bookmarks-2015-05-28.json
2015-05-28 19:05 - 2015-05-28 19:05 - 00000000 ____D () C:\Users\Me\AppData\Local\niemiro
2015-05-28 03:24 - 2015-05-28 03:24 - 00000000 ____D () C:\ProgramData\AVG
2015-05-28 03:05 - 2015-05-28 03:05 - 00000000 ____D () C:\Users\Me\AppData\Roaming\AVG2015
2015-05-28 03:04 - 2015-05-28 03:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-05-28 03:03 - 2015-05-28 03:05 - 00000000 ____D () C:\ProgramData\AVG2015
2015-05-28 03:03 - 2015-05-28 03:03 - 00000000 ___HD () C:\$AVG
2015-05-28 02:44 - 2015-05-28 02:44 - 00000167 _____ () C:\Users\Me\Desktop\e.txt
2015-05-28 00:47 - 2015-05-28 00:47 - 280382889 _____ () C:\Windows\MEMORY.DMP
2015-05-28 00:47 - 2015-05-28 00:47 - 00169872 _____ () C:\Windows\Minidump\Mini052815-01.dmp
2015-05-28 00:00 - 2015-05-28 19:09 - 00000000 ____D () C:\Users\Me\AppData\Local\Avg2015
2015-05-25 00:59 - 2015-05-25 03:36 - 00001767 _____ () C:\Users\Me\Desktop\Links.txt
2015-05-16 23:41 - 2015-05-16 23:41 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-05-14 13:49 - 2015-05-14 13:49 - 00029664 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsshimx.sys
2015-05-07 13:52 - 2015-05-07 13:52 - 00290272 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avglogx.sys
2015-05-07 13:52 - 2015-05-07 13:52 - 00191968 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidshx.sys
2015-05-07 13:52 - 2015-05-07 13:52 - 00166880 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx86.sys
2015-05-06 11:27 - 2015-05-06 11:27 - 00000320 _____ () C:\Windows\Tasks\0415avUpdateInfo.job
2015-05-06 11:27 - 2015-05-06 11:27 - 00000000 ____D () C:\ProgramData\Avg_Update_0415av
2015-05-04 14:15 - 2015-05-04 14:15 - 00213984 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgtdix.sys
2015-05-03 17:39 - 2015-05-03 17:39 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-05-02 19:28 - 2015-05-02 19:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AIMP3

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-29 00:03 - 2013-01-01 09:29 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-28 23:52 - 2006-11-02 08:47 - 00002000 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-28 23:52 - 2006-11-02 08:47 - 00002000 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-28 23:39 - 2013-09-02 00:15 - 00000000 ____D () C:\Users\Me\Desktop\Music1
2015-05-28 22:23 - 2006-11-02 06:33 - 00759582 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-28 22:19 - 2008-05-24 17:26 - 01252821 _____ () C:\Windows\WindowsUpdate.log
2015-05-28 22:12 - 2013-01-01 09:29 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-28 21:45 - 2006-11-02 09:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-28 20:55 - 2008-05-24 18:16 - 00175104 _____ () C:\Users\Me\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-05-28 15:49 - 2006-11-02 09:01 - 00032584 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-05-28 03:19 - 2010-10-03 17:13 - 00000000 ____D () C:\ProgramData\MFAData
2015-05-28 02:59 - 2008-12-13 13:29 - 00000000 ____D () C:\Program Files\AVG
2015-05-28 02:51 - 2015-04-13 07:35 - 00001004 _____ () C:\Users\Me\Desktop\1.txt
2015-05-28 02:51 - 2013-12-23 16:21 - 00000000 ____D () C:\AdwCleaner
2015-05-28 01:08 - 2008-10-25 23:29 - 00000412 ____H () C:\Windows\Tasks\User_Feed_Synchronization-{63729516-54E5-4243-9D4A-4909D4587B21}.job
2015-05-28 00:59 - 2014-05-21 20:14 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-28 00:47 - 2012-09-18 21:24 - 00000000 ____D () C:\Windows\Minidump
2015-05-27 23:58 - 2015-01-23 23:12 - 00020864 _____ () C:\Windows\PFRO.log
2015-05-27 23:32 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-05-27 23:25 - 2006-11-02 08:47 - 03345056 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-05-27 23:21 - 2006-11-02 08:37 - 00000000 ____D () C:\Windows\system32\XPSViewer
2015-05-27 23:21 - 2006-11-02 08:37 - 00000000 ____D () C:\Program Files\Windows Journal
2015-05-27 22:29 - 2008-05-24 19:55 - 00001356 _____ () C:\Users\Me\AppData\Local\d3d9caps.dat
2015-05-27 22:27 - 2014-05-21 20:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-27 22:27 - 2014-05-21 20:14 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-05-26 19:20 - 2014-07-12 13:33 - 00074240 _____ () C:\Users\Me\Documents\Spreadsheet.xls
2015-05-26 01:37 - 2013-06-27 20:24 - 00000000 ____D () C:\Users\Me\AppData\Roaming\AIMP3
2015-05-26 01:15 - 2013-10-20 03:52 - 00000000 ____D () C:\ProgramData\Oracle
2015-05-26 01:14 - 2014-08-24 18:23 - 00000000 ____D () C:\Users\Me\AppData\Local\Adobe
2015-05-26 01:12 - 2014-12-20 22:23 - 00096352 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-05-26 01:12 - 2008-02-22 05:23 - 00000000 ____D () C:\Program Files\Java
2015-05-24 20:35 - 2013-07-27 17:45 - 00135395 _____ () C:\Users\Me\Documents\qdata.txt
2015-05-24 20:30 - 2014-08-11 21:32 - 00000509 _____ () C:\Users\Me\Desktop\TtB.txt
2015-05-24 01:09 - 2014-12-31 05:30 - 00001090 _____ () C:\Users\Me\Desktop\MB3.txt
2015-05-24 01:09 - 2013-04-14 16:51 - 00001944 _____ () C:\Users\Me\Desktop\Projects2.txt
2015-05-23 23:05 - 2015-04-09 17:14 - 00004795 _____ () C:\Users\Me\Documents\May New.txt
2015-05-23 23:02 - 2015-03-26 19:27 - 00002890 _____ () C:\Users\Me\Documents\CS New.txt
2015-05-23 14:31 - 2012-04-06 18:04 - 00014145 _____ () C:\Users\Me\Desktop\0.txt
2015-05-22 21:46 - 2011-11-25 05:50 - 00002425 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-05-22 21:45 - 2014-08-21 16:47 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-05-22 21:45 - 2014-08-21 16:47 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-05-21 22:15 - 2012-04-24 17:49 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-05-18 02:43 - 2015-02-25 21:37 - 00001803 _____ () C:\Users\Me\Desktop\FS0.txt
2015-05-13 22:22 - 2013-07-20 20:48 - 00000000 ____D () C:\Windows\system32\MRT
2015-05-13 22:07 - 2006-11-02 06:24 - 137310008 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-05-06 01:02 - 2013-09-01 23:44 - 00000000 ____D () C:\Users\Me\Desktop\Music
2015-05-02 19:28 - 2013-06-27 20:24 - 00000000 ____D () C:\Program Files\AIMP3
2015-04-30 18:52 - 2008-05-24 17:44 - 00494432 _____ () C:\Users\Me\AppData\Local\GDIPFONTCACHEV1.DAT

==================== Files in the root of some directories =======

2013-12-23 22:04 - 2014-05-08 09:30 - 0003743 _____ () C:\Program Files\Mozilla Firefoxsafeguard-secure-search.xml
2010-09-14 22:32 - 2011-11-13 08:16 - 0000596 _____ () C:\Users\Me\AppData\Roaming\AutoGK.ini
2008-05-24 18:50 - 2011-07-28 21:31 - 0017796 _____ () C:\Users\Me\AppData\Roaming\wklnhst.dat
2008-05-24 19:55 - 2015-05-27 22:29 - 0001356 _____ () C:\Users\Me\AppData\Local\d3d9caps.dat
2008-05-24 18:16 - 2015-05-28 20:55 - 0175104 _____ () C:\Users\Me\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-06-22 19:40 - 2014-08-21 21:09 - 0004096 ____H () C:\Users\Me\AppData\Local\keyfile3.drm
2008-02-22 05:09 - 2008-02-22 05:10 - 0000342 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\Me\AppData\Local\Temp\i4jdel0.exe
C:\Users\Me\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Me\AppData\Local\Temp\Quarantine.exe
C:\Users\Me\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Me\AppData\Local\Temp\sfextra.dll
C:\Users\Me\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-05-28 22:00

==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:57 PM

Posted 02 June 2015 - 06:38 AM

olivia7,
 

I decided to try ComboFix

Running ComboFix without any permission of an UNITE expert isn't wise as it can be a very dangerous tool.
 

Anyway, from what I saw on this site about Virut, it infects files, so if I were to reformat the computer and put the files I'd backed up back on it, it'd just reinfect it?

Virut infects files with a "special extension. So you can back up documents because they aren't infected. In contrast to this you shouldn't back up any executable file as these are the files that will be infected by Virut.
 

Do I need to cancel my credit cards/bank account?

If you are infected (doesn't care which infection) it is always wise to change all passwords and therefore also the password of your bank/cards account if possible.

 

I guess you know these files:
 

2015-05-28 23:57 - 2015-05-29 00:02 - 00007119 _____ () C:\Users\Me\Desktop\bcp0.txt
2015-05-28 23:57 - 2015-05-28 23:57 - 00007304 _____ () C:\Users\Me\Desktop\pspbrwse.jbf
2015-05-28 23:46 - 2015-05-28 23:46 - 00001215 _____ () C:\Users\Me\Desktop\h.txt
2015-05-28 22:49 - 2015-05-28 22:49 - 03454000 _____ () C:\Users\Me\Desktop\armadillo.exe


 

It seems to me that you are definitely not infected with VIRUT. It has been an old infection and I didn't see this infection for years now, so don't worry.

Step 1: FRST FIX
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    HKLM\...\Run: [] => [X]
    HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: F - F:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {6ce2ac3a-4f05-11dd-9b08-001c258bcef8} - F:\LaunchU3.exe
    HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {b776ee48-e5fb-11e2-9919-001c258bcef8} - F:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {cdde7375-0c83-11e4-bfc3-001c258bcef8} - H:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-1698823969-2441902110-1068803011-1000\...\MountPoints2: {fb792441-f118-11e0-8379-001c258bcef8} - F:\TL-Bootstrap.exe
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File
    Hosts:
    FF Keyword.URL:
    FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
    C:\Users\Me\AppData\Local\Temp\i4jdel0.exe
    C:\Users\Me\AppData\Local\Temp\jre-8u31-windows-au.exe
    C:\Users\Me\AppData\Local\Temp\Quarantine.exe
    C:\Users\Me\AppData\Local\Temp\sfamcc00001.dll
    C:\Users\Me\AppData\Local\Temp\sfextra.dll
    C:\Users\Me\AppData\Local\Temp\sqlite3.dll
    AlternateDataStreams: C:\ProgramData\TEMP:8CE646EE
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Step 2: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 olivia7

olivia7
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 02 June 2015 - 06:01 PM

Yeah, I knew it wasn't advised, but since the friend I mentioned in the first post had told me to run it in the past, I decided to take the chance. Plus, the computer was so screwed up already, and I figured I'd have to reformat it anyway, that I thought it couldn't hurt much.

Anyway, my friend unexpectedly returned to the country early and we went ahead and reformatted. It was still having the same problems after that, and combined with issues that I realized in retrospect it'd been having for quite awhile, he said it seemed most likely to be a failing hard drive. Since it was 8 years old and it'd had to have a few parts replaced already, I didn't want to put more money into it and ended up just getting a new one.

My friend said the same thing, that the files other than executable ones would be fine and there wasn't a problem transferring them over. Especially since it appeared that the issues I was having were caused by the hard drive and not a virus, but if I wanted to be safe to not transfer the executable files anyway. I didn't since they were easy enough to get again (the programs I use for work I was able to bring home installation disks for, and the freeware I could re-download from the company's website). And yes, those files you mentioned are ones I use for work, so I know what they are.

I'm all set up with the new computer and everything seems to be going fine, but thanks for getting back to me!



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:57 PM

Posted 03 June 2015 - 12:37 AM

OK, thanks for informing me. I will close the topic as solved.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:57 PM

Posted 03 June 2015 - 12:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users