Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira autorun.inf


  • This topic is locked This topic is locked
24 replies to this topic

#1 cp5

cp5

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 22 January 2016 - 11:26 AM

Hi,

 

I'm using windows 7 and i have avira av installed.

Recentley i have been getting notifications from Avira that it blocked "q/autorun.inf, which is one of my drives on the computer-Lenovo E530.

I ran avira scan and also malawarebytes and it came clean.

How do i know if it is a false alarm or a malware/virus that is trying to attack and keeps getting blocked?

I have added my logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:18-01-2016
Ran by אוהד (administrator) on WIN-DLOBEKRRPF7 (23-01-2016 09:48:23)
Running from C:\Users\אוהד\Downloads
Loaded Profiles: אוהד (Available Profiles: אוהד)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: עברית (ישראל)‏
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AuthenTec, Inc) C:\Program Files\Lenovo Fingerprint Reader\TrueSuiteService.exe
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Ricoh co.,Ltd.) C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe
() C:\Program Files (x86)\Alcatel\X220\ModemListener.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Lavasoft) C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\mkrmsg.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files\iTunes\iTunes.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avcenter.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AuthenTec Inc.) C:\Program Files\Lenovo Fingerprint Reader\TouchControl.exe
(AuthenTec Inc.) C:\Program Files\Lenovo Fingerprint Reader\x86\BioMonitor.exe
(BitTorrent Inc.) C:\Users\אוהד\AppData\Roaming\BitTorrent\BitTorrent.exe
(BitTorrent Inc.) C:\Users\אוהד\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
(BitTorrent Inc.) C:\Users\אוהד\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [178960 2012-03-15] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2012-03-01] (Conexant Systems, Inc.)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1654400 2012-02-21] (Conexant Systems, Inc.)
HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [382528 2012-02-25] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [290160 2012-06-02] (Lenovo Group Limited)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2881336 2012-06-19] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-10-16] (Apple Inc.)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133400 2012-03-07] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-04-13] (Intel Corporation)
HKLM-x32\...\Run: [RotateImage] => C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-31] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] => C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe [507744 2011-12-21] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [Fastboot] => C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [1091376 2012-01-17] (Lenovo)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-12] (Intel Corporation)
HKLM-x32\...\Run: [Lenovo Registration] => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
HKLM-x32\...\Run: [IntelSBA] => C:\Program Files (x86)\Intel\Intel® Small Business Advantage\UI\IntelSmallBusinessAdvantage.exe [4243168 2012-04-24] (Intel Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60688 2015-10-13] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [ModemListener] => C:\Program Files (x86)\Alcatel\X220\ModemListener.exe [98304 2010-04-30] ()
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-06-14] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-06-14] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] => C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe [559696 2013-09-27] (Lavasoft)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [66320 2015-12-08] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [803200 2015-12-03] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\אוהד\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201 --CMPID 0913b
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Run: [Google Update] => C:\Users\אוהד\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-29] (Google Inc.)
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [60688 2015-10-21] (Apple Inc.)
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [61200 2015-10-21] (Apple Inc.)
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\MountPoints2: {15ac3375-3587-11e2-9069-685d43cfa840} - "E:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\MountPoints2: {243544c6-ed21-11e1-8a2d-806e6f6e6963} - Q:\LenovoQDrive.exe
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll [2012-05-14] (SugarSync, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{0FCB0A38-EFDF-438F-974B-F88A0757F014}: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{A0F214C4-783C-4F81-A653-D6DAFCB9CBC3}: [DhcpNameServer] 10.0.0.138
 
Internet Explorer:
==================
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={BAECCE97-947E-4880-A8C5-AB5B9CFF1806}&mid=e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-12 17:47:40&v=4.1.0.411&pid=wtu&sg=&sap=hp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3332996190-4255289238-95388593-1001 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENP
SearchScopes: HKU\S-1-5-21-3332996190-4255289238-95388593-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENP
SearchScopes: HKU\S-1-5-21-3332996190-4255289238-95388593-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BAECCE97-947E-4880-A8C5-AB5B9CFF1806}&mid=e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-12 17:47:40&v=4.0.5.7&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: TrueSuite Browser Helper Object -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files\Lenovo Fingerprint Reader\IEBHO.DLL [2012-06-07] (AuthenTec Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll [2012-04-19] (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-01-24] (Oracle Corporation)
BHO-x32: TrueSuite Browser Helper Object -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files\Lenovo Fingerprint Reader\x86\IEBHO.dll [2012-06-07] (AuthenTec Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: AviraBrowserSafety.BrowserSafety -> {c3c77255-42c0-499f-b664-6e981a0b1647} -> C:\Windows\SysWOW64\mscoree.dll [2010-11-21] (Microsoft Corporation)
BHO-x32: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll [2012-04-19] (Symantec Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-24] (Oracle Corporation)
Handler-x32: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - C:\Windows\SysWOW64\mscoree.dll [2010-11-21] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2013-06-14] (Citrix Systems, Inc.)
FF Plugin-x32: @garmin.com/GpsControl -> C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll [2014-03-31] (GARMIN Corp.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-09] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3332996190-4255289238-95388593-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\אוהד\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3332996190-4255289238-95388593-1001: @talk.google.com/O1DPlugin -> C:\Users\אוהד\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3332996190-4255289238-95388593-1001: @tools.google.com/Google Update;version=3 -> C:\Users\אוהד\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-3332996190-4255289238-95388593-1001: @tools.google.com/Google Update;version=9 -> C:\Users\אוהד\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\אוהד\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\אוהד\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKLM-x32\...\Firefox\Extensions: [VIP5X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client
FF Extension: Symantec VIP Access Add-On - C:\Program Files (x86)\Symantec\VIP Access Client [2016-01-21] [not signed]
FF HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Firefox\Extensions: [acewebextension@acestream.org] - C:\Users\אוהד\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension.xpi => not found
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.ynet.co.il/home/0,7340,L-3,00.html
CHR StartupUrls: Default -> "hxxp://www.ynet.co.il/home/0,7340,L-3,00.html"
CHR Profile: C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google מצגות) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-04]
CHR Extension: (Google Docs) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (כונן Google) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-23]
CHR Extension: (YouTube) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Website Logon) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdkedefaddcdlpmiafhicjnkbogjiogj [2014-12-23]
CHR Extension: (Adblock Plus) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-01-22]
CHR Extension: (חיפוש Google) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-12]
CHR Extension: (Google Sheets) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-04]
CHR Extension: (Avira Browser Safety) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-01-20]
CHR Extension: (Google Docs Offline) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-20]
CHR Extension: (AdBlock) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-27]
CHR Extension: (Gmail) - C:\Users\אוהד\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-31]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3332996190-4255289238-95388593-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3332996190-4255289238-95388593-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cdkedefaddcdlpmiafhicjnkbogjiogj] - C:\Program Files\Lenovo Fingerprint Reader\x86\tschrome.crx [2012-03-14]
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [948392 2015-12-03] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [466408 2015-12-03] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [466408 2015-12-03] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1418560 2015-12-03] (Avira Operations GmbH & Co. KG)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [251160 2015-12-08] (Avira Operations GmbH & Co. KG)
R2 DeviceManager; C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe [40960 2009-11-17] () [File not signed]
R2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [169776 2012-01-17] (Lenovo)
R2 FPLService; C:\Program Files\Lenovo Fingerprint Reader\TrueSuiteService.exe [328552 2012-06-07] (AuthenTec, Inc)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-03-07] ()
R2 Intel® Small Business Advantage; C:\Program Files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [46816 2012-04-24] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [163608 2012-03-07] (Intel Corporation)
R2 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [179568 2012-06-02] (Lenovo Group Limited)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-12] (Lenovo Group Limited)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2012-02-26] ()
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22376 2013-06-26] ()
R2 VIPAppService; C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [84080 2012-04-19] (Symantec Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2669840 2012-02-26] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [162072 2015-12-03] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [140448 2015-12-03] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2015-12-03] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [75472 2015-12-03] (Avira Operations GmbH & Co. KG)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 Fastboot; C:\Windows\System32\DRIVERS\Fastboot.sys [70416 2012-01-17] (Windows ® Win 7 DDK provider)
S3 jrdusbser; C:\Windows\System32\DRIVERS\jrdusbser.sys [119680 2009-05-11] (TCT International Mobile Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl64.sys [22528 2012-03-26] (Apple Inc.) [File not signed]
R3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [259688 2011-10-27] (Realtek Semiconductor Corp.)
R3 SmbDrvIntel; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [27448 2012-06-19] (Synaptics Incorporated)
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [40248 2011-05-29] (Lenovo Information Product(ShenZhen China) Inc.)
R3 tvtvcamd; C:\Windows\System32\DRIVERS\tvtvcamd.sys [27432 2011-12-08] (ThinkVantage Communications Utility)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-23 09:48 - 2016-01-23 09:49 - 00030744 _____ C:\Users\אוהד\Downloads\FRST.txt
2016-01-23 09:46 - 2016-01-23 09:47 - 02370560 _____ (Farbar) C:\Users\אוהד\Downloads\FRST64.exe
2016-01-23 00:14 - 2016-01-23 00:14 - 00047055 _____ C:\Users\אוהד\Downloads\[kat.cr]shameless.us.s01e07.hdtv.xvid.lol (1).torrent
2016-01-22 23:49 - 2016-01-23 00:19 - 00000000 ____D C:\Users\אוהד\Downloads\Shameless.US.S06E02.HDTV.x264-LOL[ettv]
2016-01-22 23:49 - 2016-01-22 23:49 - 00046015 _____ C:\Users\אוהד\Downloads\[kat.cr]shameless.us.s01e07.hdtv.xvid.lol.torrent
2016-01-22 23:48 - 2016-01-22 23:48 - 00004973 _____ C:\Users\אוהד\Downloads\[kat.cr]shameless.us.s06e02.hdtv.x264.lol.ettv.torrent
2016-01-22 17:57 - 2016-01-22 18:41 - 00000000 ____D C:\Users\אוהד\Doctor Web
2016-01-22 17:34 - 2016-01-22 17:56 - 181816048 _____ C:\Users\אוהד\Downloads\wfmc7p5e.exe
2016-01-22 16:52 - 2016-01-22 16:52 - 00720594 _____ C:\Users\אוהד\Downloads\פתרון בחינה סמסטר 2.pdf
2016-01-22 16:51 - 2016-01-22 16:51 - 00207800 _____ C:\Users\אוהד\Downloads\חלק א_סמסטר ב_7.6.15.pdf
2016-01-22 16:51 - 2016-01-22 16:51 - 00167248 _____ C:\Users\אוהד\Downloads\חלק ב_סמסטר ב_7.6.15.pdf
2016-01-22 11:52 - 2016-01-22 11:52 - 00757594 _____ C:\Users\אוהד\Downloads\פתרון בחינה_סמסטר 2.pdf
2016-01-22 11:52 - 2016-01-22 11:52 - 00384543 _____ C:\Users\אוהד\Downloads\חלק ב_ביקורת_8.6.14.pdf
2016-01-22 11:52 - 2016-01-22 11:52 - 00368861 _____ C:\Users\אוהד\Downloads\חלק א_ביקורת_8.6.14.pdf
2016-01-21 09:33 - 2016-01-21 09:33 - 00000000 ____D C:\Users\אוהד\AppData\Local\CEF
2016-01-20 20:14 - 2016-01-20 20:14 - 00000000 ____D C:\Users\אוהד\AppData\Roaming\Avira
2016-01-20 20:11 - 2015-12-03 15:24 - 00162072 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-01-20 20:11 - 2015-12-03 15:24 - 00140448 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-01-20 20:11 - 2015-12-03 15:24 - 00075472 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2016-01-20 20:11 - 2015-12-03 15:24 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2016-01-20 20:05 - 2016-01-20 20:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-01-20 20:05 - 2016-01-20 20:11 - 00000000 ____D C:\ProgramData\Avira
2016-01-20 20:05 - 2016-01-20 20:05 - 00001217 _____ C:\Users\Public\Desktop\Avira Launcher.lnk
2016-01-20 20:05 - 2016-01-20 20:05 - 00000000 ____D C:\ProgramData\Package Cache
2016-01-20 19:57 - 2016-01-20 19:57 - 04638208 _____ (Avira Operations GmbH & Co. KG) C:\Users\אוהד\Downloads\avira_en_av_553fd67fc3dd2__ws1.exe
2016-01-20 19:33 - 2016-01-20 19:34 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-20 19:33 - 2016-01-20 19:33 - 00002058 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2016-01-20 19:32 - 2016-01-20 19:32 - 02213411 _____ C:\Users\אוהד\Downloads\ביקורת - שנת השלמה (4).pdf
2016-01-20 19:29 - 2016-01-20 19:30 - 01768694 _____ C:\Users\אוהד\Downloads\ביקורת - שנת השלמה (3).pdf
2016-01-18 18:58 - 2016-01-18 18:58 - 00030033 _____ C:\Users\אוהד\Downloads\לוח שנה אקדמי שנת השלמה אוקטובר 2015_מעודכן.pdf
2016-01-17 23:37 - 2016-01-17 23:38 - 78898752 _____ C:\Users\אוהד\Downloads\אלבום - אסף אמדורסקי - צד א.rar
2016-01-17 17:37 - 2016-01-17 17:37 - 01768694 _____ C:\Users\אוהד\Downloads\ביקורת - שנת השלמה (2).pdf
2016-01-16 19:22 - 2016-01-16 19:22 - 03475058 _____ C:\Users\אוהד\Downloads\ביקורת חשבונות חלק ב' - נוי חדד.pdf
2016-01-16 19:22 - 2016-01-16 19:22 - 02589357 _____ C:\Users\אוהד\Downloads\מבוא לחשבונאות פיננסית מתקדמת- שירן חי .pdf
2016-01-11 21:10 - 2016-01-11 21:10 - 01768694 _____ C:\Users\אוהד\Downloads\ביקורת - שנת השלמה (1).pdf
2016-01-11 17:22 - 2016-01-11 17:22 - 00981084 _____ C:\Users\אוהד\Downloads\EsekChai.pdf
2016-01-09 19:08 - 2016-01-17 23:34 - 00009622 _____ C:\Users\אוהד\Desktop\כסף.xlsx
2016-01-07 20:21 - 2016-01-07 20:21 - 00286000 _____ C:\Windows\Minidump\010716-16130-01.dmp
2016-01-06 15:17 - 2016-01-06 15:17 - 00725701 _____ C:\Users\אוהד\Downloads\last_x264.tar.bz2
2016-01-06 15:16 - 2016-01-06 15:16 - 00300521 _____ C:\Users\אוהד\Downloads\matroskasplitter_20040111-2.zip
2016-01-04 00:26 - 2016-01-21 05:09 - 00000000 ____D C:\Users\אוהד\Downloads\Nas - Illmatic (Clean Version) [1994] {MP3 - 320 kbps}
2016-01-04 00:18 - 2016-01-16 11:39 - 00000000 ____D C:\Users\אוהד\Downloads\1000FOF
2016-01-03 14:12 - 2016-01-21 05:09 - 00000000 ____D C:\Users\אוהד\Downloads\Burnt.2015.BRRip.XViD-ETRG
2016-01-03 14:12 - 2016-01-03 14:12 - 00057633 _____ C:\Users\אוהד\Downloads\[kat.cr]burnt.2015.brrip.xvid.etrg.torrent
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-23 09:48 - 2014-07-31 17:05 - 00000000 ____D C:\FRST
2016-01-23 09:45 - 2014-08-16 13:25 - 00000000 ____D C:\Users\אוהד\AppData\Roaming\BitTorrent
2016-01-23 09:31 - 2014-12-23 22:16 - 00000928 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-23 09:01 - 2013-12-26 13:07 - 00000934 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3332996190-4255289238-95388593-1001UA.job
2016-01-23 09:00 - 2012-11-27 23:04 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-01-23 00:16 - 2009-07-14 06:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-23 00:16 - 2009-07-14 06:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-22 23:49 - 2015-12-02 17:09 - 00000000 ____D C:\Users\אוהד\AppData\LocalLow\BitTorrent
2016-01-22 23:45 - 2012-11-01 06:45 - 00000000 ____D C:\Users\אוהד\AppData\LocalLow\AuthenTec
2016-01-22 18:01 - 2013-12-26 13:07 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3332996190-4255289238-95388593-1001Core.job
2016-01-22 17:57 - 2012-11-01 06:45 - 00000000 ____D C:\Users\אוהד
2016-01-22 16:31 - 2015-11-09 21:51 - 00000000 ____D C:\Users\אוהד\Downloads\Oz
2016-01-22 13:31 - 2014-12-23 22:16 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-22 03:23 - 2012-12-17 13:44 - 00000000 ____D C:\ProgramData\Microsoft Help
2016-01-22 03:22 - 2013-03-14 03:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-22 03:21 - 2013-03-14 03:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-01-22 03:21 - 2013-03-14 03:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-22 03:12 - 2009-07-14 04:34 - 00000478 _____ C:\Windows\win.ini
2016-01-21 09:33 - 2012-11-04 21:01 - 00000000 ____D C:\Users\אוהד\AppData\Local\Adobe
2016-01-21 09:30 - 2015-09-25 22:45 - 00000000 ____D C:\Users\אוהד\AppData\Local\Popcorn Time Offical
2016-01-21 05:09 - 2015-11-12 17:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fingerprint Reader
2016-01-21 05:09 - 2015-04-05 02:00 - 00000000 ___SD C:\Windows\system32\GWX
2016-01-21 05:09 - 2014-12-11 03:27 - 00000000 ____D C:\Windows\system32\appraiser
2016-01-21 05:09 - 2012-11-27 23:03 - 00000000 ____D C:\Windows\system32\Macromed
2016-01-21 05:09 - 2012-08-23 15:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2016-01-21 05:09 - 2012-08-23 15:09 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-01-21 05:09 - 2012-08-23 15:00 - 00000000 ___HD C:\Windows\system32\WLANProfiles
2016-01-21 05:09 - 2011-12-08 22:02 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-01-21 05:09 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2016-01-21 05:09 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-01-21 05:09 - 2009-07-14 05:20 - 00000000 ____D C:\Windows
2016-01-21 05:08 - 2015-09-25 22:38 - 00000000 ____D C:\Users\אוהד\AppData\Local\Popcorn-Time
2016-01-21 05:08 - 2012-12-17 13:44 - 00000000 __RHD C:\MSOCache
2016-01-21 00:51 - 2014-12-23 22:17 - 00002188 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-01-20 20:16 - 2012-08-23 14:41 - 00392274 _____ C:\Windows\system32\perfh00D.dat
2016-01-20 20:16 - 2012-08-23 14:41 - 00084704 _____ C:\Windows\system32\perfc00D.dat
2016-01-20 20:16 - 2009-07-14 07:13 - 01247912 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-20 20:16 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-01-20 20:11 - 2015-04-28 20:47 - 00000000 ____D C:\Program Files (x86)\Avira
2016-01-20 20:11 - 2014-07-19 18:29 - 00000000 ____D C:\ProgramData\Ad-Aware Browsing Protection
2016-01-20 20:10 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-20 20:00 - 2012-11-27 23:04 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-01-20 20:00 - 2012-11-27 23:03 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-20 20:00 - 2012-11-27 23:03 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-20 19:33 - 2014-12-23 21:43 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-01-20 19:33 - 2012-08-23 15:07 - 00000000 ____D C:\ProgramData\Adobe
2016-01-20 19:33 - 2012-08-23 15:07 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-20 19:29 - 2013-08-18 02:02 - 00000000 ____D C:\Windows\system32\MRT
2016-01-13 21:23 - 2013-06-22 11:03 - 00000000 ____D C:\Users\אוהד\AppData\Local\CrashDumps
 
==================== Files in the root of some directories =======
 
2014-08-16 13:25 - 2014-08-16 13:25 - 1943128 _____ (BitTorrent Inc.) C:\Program Files\BitTorrent.exe
2012-11-01 06:46 - 2012-11-22 21:10 - 0007071 _____ () C:\Users\אוהד\AppData\Roaming\AbsoluteReminder.xml
 
Some files in TEMP:
====================
C:\Users\אוהד\AppData\Local\Temp\avgnt.exe
C:\Users\אוהד\AppData\Local\Temp\rfaw935v.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-01-21 05:33
 
==================== End of FRST.txt ============================

 

 

Thanks alot for your answer!

Attached Files


Edited by cp5, 23 January 2016 - 04:39 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 23 January 2016 - 10:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This file should not run unless you need it to install software.

In computing, an INF file or Setup Information file is a plain-text file used by Microsoft Windows for the installation of software and drivers. INF files are most commonly used for installing device drivers for hardware components.


Read about it.
https://en.wikipedia.org/wiki/INF_file

You can open the file with Notepad and see what will be installed/run if you execute it.


If not required you can rename the file to autorun.inf.old
Should you need to run it in the future all you have to do is rename it back to it`s original name.

===

A few thing you should take care off.



AV: Avira Antivirus (Enabled - Out of date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Out of date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


You should also disable Windows Defender. It should not be running while Avira is enable.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3332996190-4255289238-95388593-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={BAECCE97-947E-4880-A8C5-AB5B9CFF1806}&mid=e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-12 17:47:40&v=4.1.0.411&pid=wtu&sg=&sap=hp
SearchScopes: HKU\S-1-5-21-3332996190-4255289238-95388593-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BAECCE97-947E-4880-A8C5-AB5B9CFF1806}&mid=e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-12 17:47:40&v=4.0.5.7&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Firefox\Extensions: [acewebextension@acestream.org] - C:\Users\????\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension.xpi => not found
CHR HKU\S-1-5-21-3332996190-4255289238-95388593-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx



CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {02918305-F4A6-41A0-A0A7-EDAF7B888036} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)

#3 cp5

cp5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 23 January 2016 - 12:50 PM

Hi again,

 

First of all thanks for the prompt responce.

 

Now for your instructions:

 

1. I cannot find th q/autorun.inf file in Q drive, therefore i can't know what is it trying to run.

 

2. My avira was out of date even though it is a free version, i don't know why. That's why i uninstalled it and downloaded it again-That's when the autorun notifiaction start. If i go inside avira now it is up to date so i don't know why you got that log that said it wasn't.

 

3. Regarding windows defender, how do i disable it?

 

4. I updated my Java as requested.

 

5. This is the fix log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by אוהד (2016-01-23 19:28:30) Run:2
Running from C:\Users\אוהד\Downloads
Loaded Profiles: אוהד (Available Profiles: אוהד)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={BAECCE97-947E-4880-A8C5-AB5B9CFF1806}&mid=e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-12 17:47:40&v=4.1.0.411&pid=wtu&sg=&sap=hp
SearchScopes: HKU\S-1-5-21-3332996190-4255289238-95388593-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BAECCE97-947E-4880-A8C5-AB5B9CFF1806}&mid=e004866b6b9947d0b3d3b914052b41b3-a0e55db4a59f1e798bdd56c45695299569962201&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-12 17:47:40&v=4.0.5.7&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKU\S-1-5-21-3332996190-4255289238-95388593-1001\...\Firefox\Extensions: [acewebextension@acestream.org] - C:\Users\????\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension.xpi => not found
CHR HKU\S-1-5-21-3332996190-4255289238-95388593-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
 
 
 
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\????\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {02918305-F4A6-41A0-A0A7-EDAF7B888036} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKU\S-1-5-21-3332996190-4255289238-95388593-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}" => key removed successfully
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
HKU\S-1-5-21-3332996190-4255289238-95388593-1001\Software\Mozilla\Firefox\Extensions\\acewebextension@acestream.org => value removed successfully
"HKU\S-1-5-21-3332996190-4255289238-95388593-1001\SOFTWARE\Google\Chrome\Extensions\bknbnapaddjdnbilpmlacdkjdkjmbjhd" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bknbnapaddjdnbilpmlacdkjdkjmbjhd" => key removed successfully
"HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => key removed successfully
"HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
"HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => key removed successfully
"HKU\S-1-5-21-3332996190-4255289238-95388593-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{02918305-F4A6-41A0-A0A7-EDAF7B888036}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{02918305-F4A6-41A0-A0A7-EDAF7B888036}" => key removed successfully
C:\Windows\System32\Tasks\ROC_REG_JAN_DELETE => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ROC_REG_JAN_DELETE" => key removed successfully
C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => moved successfully
EmptyTemp: => 2.2 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 19:33:45 ====
 
6. Last thing i want to make sure:
If i am not trying to install anything, does this means that it is malware/virus for sure?
 
Thanks again!


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 23 January 2016 - 03:03 PM



1. I cannot find th q/autorun.inf file in Q drive, therefore i can't know what is it trying to run.


The q/ is not a drive.

Lets find out if it's in your C: drive.

Please run the Farbar Recovery Scan Tool. Enter autorun.inf in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

If you have a flash drive check it out it may be in it.
===

My avira was out of date even though it is a free version, i don't know why. That's why i uninstalled it and downloaded it again-That's when the autorun notifiaction start. If i go inside avira now it is up to date so i don't know why you got that log that said it wasn't.

The the Farbar tool needs to be updated. You should have the latest version but the tool has not been changed to reflect this.
===

Windows defender.
http://windows.microsoft.com/en-ca/windows/turn-windows-defender-on-off#turn-windows-defender-on-off=windows-7

===

I do not think you are infected.
Just let me have the results of the Farbar scan.

#5 cp5

cp5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 24 January 2016 - 01:30 PM

 Hi,

 

This is the search log:

 

Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by אוהד (2016-01-24 20:03:32)
Running from C:\Users\אוהד\Downloads
Boot Mode: Normal
 
================== Search Files: "autorun.inf" =============
 
C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf
[2009-07-13 22:21][2009-06-10 23:43] 0000116 ____A () 58835871E57FA4900939E252DAE4090F [File is digitally signed]
 
C:\SWTOOLS\DRIVERS\WLANINT\Autorun.inf
[2012-08-23 14:59][2012-03-02 12:32] 0000280 ____A () 08549BF69527A649E938895B6F2650FA [File not signed]
 
C:\SWTOOLS\DRIVERS\UNAV\Autorun.inf
[2012-08-23 15:18][2006-08-17 04:54] 0000029 ____A () 55CC3295A7AC6D384B5348208361177F [File not signed]
 
C:\SWTOOLS\DRIVERS\MEI\autorun.inf
[2012-08-23 14:56][2009-01-23 01:54] 0000025 ____A () C9DE79DFD2B51AAAA2B49B9F4AC54049 [File not signed]
 
C:\SWTOOLS\DRIVERS\Graphics\Intel\autorun.inf
[2012-08-23 14:58][2012-06-21 04:46] 0000025 ____A () C9DE79DFD2B51AAAA2B49B9F4AC54049 [File not signed]
 
C:\SWTOOLS\DRIVERS\Bluetooth\Autorun.inf
[2012-08-23 15:02][2012-03-27 00:54] 0000254 ____A () 934E0631269AE1A872D2A74ABD99D386 [File not signed]
 
C:\SWTOOLS\DMFSD\Autorun.inf
[2012-06-01 02:26][2008-10-09 19:49] 0000049 ____A () 3505325E7A3E0E2C94F3B517F4272783 [File not signed]
 
C:\ProgramData\Microsoft\OEMOffice14\Office14\autorun.inf
[2012-08-23 15:16][2011-08-18 14:11] 0000175 ____A () 4B7BFC85ABE1DB733A3383FE28A69831 [File not signed]
 
C:\Program Files\MLPS\apps\DMFSD\Autorun.inf
[2012-08-23 15:09][2008-10-09 19:49] 0000049 ____A () 3505325E7A3E0E2C94F3B517F4272783 [File not signed]
 
C:\$Windows.~BT\autorun.inf
[2015-09-10 08:19][2015-06-18 03:15] 0000128 ____A () 1EE3BD713BAF8DA75ECD537F7E086EB8 [File not signed]
 
====== End of Search ======
 
 
 
 
Regarding the Q drive, it is a recovery drive as you can see in the photo attached.
 
The Farbar says it is updated when i open it.
 
Regarding windows defender:
Why is it a problem that it is working while avira is working too? Isn't it safer this way?
 
Thanks again!

Attached Files

  • Attached File  1.jpg   87.98KB   0 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 25 January 2016 - 08:11 AM

Regarding windows defender:
Why is it a problem that it is working while avira is working too? Isn't it safer this way?


If you have no problems with it leave it alone.

I was just making sure that it was now slowing down your system.
===

The Autorun.inf file is probably hidden as are other files in the Q drive.

See if you can find it by proceeding this way.

Unhide files/folders Windows 7.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

#7 cp5

cp5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 25 January 2016 - 12:22 PM

Done that, still nothing appears.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 25 January 2016 - 02:29 PM

Do you see other files in the Q drive.

#9 cp5

cp5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 27 January 2016 - 02:14 AM

There are 3 files as you can see in the attached photo:

 

One word file that i recognize.

One folder with nothing in it that i don't recognize.

One unknown file with my name that i don't recognize.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 27 January 2016 - 09:25 AM

One folder with nothing in it that i don't recognize.

Remove the Empty folder.

One unknown file with my name that i don't recognize.
It's a .tmp file remove it.

Move the Word file to your C:\ drive.


Keep me posted.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 01 February 2016 - 08:47 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 07 February 2016 - 08:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 13 February 2016 - 01:58 PM

This topic has been re-opened at the request of the person who originally posted.

#14 cp5

cp5
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 14 February 2016 - 04:04 AM

Hi again,

 

I still get notifications about autorun.inf, any suggestions why?



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 14 February 2016 - 08:28 AM

The last time we checked for the Autorun.inf we looked for the file.
This time lets see whatsetting we can find in the registry.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:

    :regfind
    Autorun.inf
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users