Sneaky is creepy

This is my first post so I hope I don't violate any rules or post in the wrong place. I have someone I use to call friend but after his odd behavior while on my computer to locate VHS to download from a website he said was real "cool"  He said he needed to stop Malwarebytes from running because it would not allow the download,  This hackers site does not show any activity as far as downloading.  Just click a file and sooner or later it is in your files.  After he returned my pc back to me I checked around to see what is is he might have done and noticed in my downloads three particular files.  Following up on them, seems as if one is a router hack, another a silent inst aller and the last, a password stealer. 

Can't seem to find how to paste something simple so I will rewrite

Nirsoft.&.Sysinternals.Utilities.Suite_2016                  SetupS.SendTo Sil...   20, 992kb

SetupS,SendTo.Suite_v16.120.0_ssApp                    Application                   21,140kb

SetupS.SendTo.Suite_v16 120.0_ssApp                    SetupS.SendTo Sil...    17,576KB

Am I wrong in thinking the purpose of having these downloaded on my PC is something nefarious or are they just random benign

files of which he was illustrating the ease of that hackers website?

Any insight would be very appreciated.  I can't remain in  limbo.

Edited by hamluis, 10 April 2016 - 02:28 PM.
Moved from Gen Sec to Am I Infected - Hamluis.

 Following up on them, seems as if one is a router hack, another a silent inst aller and the last, a password stealer. 

From where did you get that information?

Well nirsoft is and can be used to steal passwords so what ever he did has nothing to do with VHS mate, he simply trying to access your PC by the sounds of it and appears to be no friend but someone with small mans syncdrome.

I would say he used nirsoft to access wifi passwords and windows credentials, even passwords from internet explorer, firefox and chrome.

Hello Didier, thank you for responding.  I presume you understood they came from my download library and therefore are referring to each as to where I found the information that allowed me to characterize each as I had.

With respect to this file I located on my PC; file:C:\ppApps\NirSoft-Sysinternals\NirSoft\mailpv.exe I believe I found the following it in a link associated with Bleeping Computer. I recall thinking I could trust that info:

Threat behavior

HackTool:Win32/Mailpassview is a freeware tool that is used to display passwords for a number of email applications. It has a graphical user interface (GUI), but can be run without being displayed to the affected user by utilizing command line switches to save the captured password information to various formats. It can show passwords for the following email applications: Microsoft Outlook Express Microsoft Outlook Windows Mail Windows Live Mail IncrediMail Eudora Netscape 6.x/7.x Mozilla Thunderbird Yahoo! Mail Hotmail/MSN mail Gmail A configuration file named <filename>.cfg is dropped in the folder the program runs from, f or example, Mailpv.exe would drop Mailpv.cfg.

An image of the tool is shown below:

and;

Threat behavior

Hacktool:Win32/Netpass is a detection for the network password recovery tool. It may have the file name "netpass.exe" and is capable of recovering locally stored passwords for network computers.

and as source:

.

I hope that addresses that which you were referring. All seems sinister to me. That and about 400 new items Malwarebytes located immediately thereafter;

Thank you 

Well a lot of script kiddies like to take control of machines to use as Ddos zombies or calculating bit coins.

Some people just think they are awesome because they watched a youtube video and learnt how to do something but never actually created their own exploit and or method of attack/ access.

Its only when you say "Ohh so if i did this would you be able to access it" then they generally change the subject because they actually have no clue.

I have had many convo with people in online games threading this and that blah blah, start getting info from their device's or ask some technical questions and they either leave, change subject or call you a chinese hacker LOL.

If you dont know something then there is nothing wrong with admitting it, you look better being honest then a fool claiming to be a Ub3r L337 Hax0r using tools you never know how they work or write your own.

Go watch some of Didier's videos mate, he knows what he is talking about.

 My internet usage meter indicates usage of just over 9 GB for the past 4 days.  1900 items in 19 folders  in my Pictures library is .5.5 GB and 1074 files in 74 folders is not quite 2 GB which make up the bulk of my usage in the two months I have had this machine..No vids downloaded. Just watched a few on You Tube and surfed FB a few hours since then.  An IT friend said last night that the property details of my network indicated another server other than the three identical listings I had. and with an addition of... IPv4...but a blank address appeared to him that someone other than myself had access my PC

Do I need to call out my former friend or does he already know.

I was asking because I wondered if you used a kind of AV scanner on these files, and then it would be useful to have the output of that scanner.

I suppose you can not get (reliable) information from the person who did this? To determine if said person did something nefarious.

Thank you again Didier.   I'm not familiar with an AV scanner.  Does it indicate activity they have caused or responded to?  In your opinion, are those randomly selected downloads of a list or do they seem to have a deliberate connection for a future attempt to access data remotely?

*Edit   Antii Virus  not Audio Video...my bad

Edited by bmrbogtrotter, 11 April 2016 - 01:15 PM.

After telling me that the site from where the aforementioned downloads came from (and they show no indication whatsoever as they download in stealth) that I would love that website....and upon simply being shown and with no accusations as to what I had found, he offered the following as a sidestepped denial which I find to be totally conflicting with his initial praises 

http://www.nirsoft.net/false_positive_report.html

and

https://www.foolishit.com/2009/10/nirsoft-utility-launcher-beta-with-sysinternals-functionality/

Johnny Jammer...After re reading your above comment it seems as if that response was directed at me trying to bluff someone here into telling me how to do what I said was done to me.  Talk about adding insult to injury.  I was wanting to know if someone whom I had once trusted breached that...period.  Not the steps or methods to destroy that.  Trust does not work that way, Mate.