Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

aswMBR found infected files


  • This topic is locked This topic is locked
14 replies to this topic

#1 EsatoP

EsatoP

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 01:00 AM

Hello. I need some help. I was trying to figure out why my hard drive space is constantly decreasing so I searched through some topics here. I downloaded aswMBR and it found infected files. What should I do?

 

Here is the log from the scan. 

 

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-08-21 22:22:47
-----------------------------
22:22:47.711    OS Version: Windows x64 6.2.9200 
22:22:47.711    Number of processors: 4 586 0x402
22:22:47.712    ComputerName: EDGAR-PC  UserName: Edgar
22:22:49.848    Initialize success
22:22:49.898    VM: initialized successfully
22:22:49.899    VM: Amd CPU supported 
22:24:41.356    AVAST engine defs: 16082100
22:24:43.718    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:24:43.720    Disk 0 Vendor: ST3500418AS CC34 Size: 476940MB BusType: 3
22:24:43.937    Disk 0 MBR read successfully
22:24:43.938    Disk 0 MBR scan
22:24:44.152    Disk 0 Windows 7 default MBR code
22:24:44.217    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS       476488 MB offset 2048
22:24:44.275    Disk 0 Partition 2 00     27 Hidden NTFS WinRE NTFS          450 MB offset 975849472
22:24:44.613    Disk 0 scanning C:\WINDOWS\system32\drivers
22:25:18.397    Service scanning
22:26:18.125    Modules scanning
22:26:18.129    Disk 0 trace - called modules:
22:26:18.174    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys hal.dll 
22:26:18.178    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0008f7d9060]
22:26:18.181    3 CLASSPNP.SYS[fffff8010e4a7d95] -> nt!IofCallDriver -> [0xffffe0008eba7520]
22:26:18.184    5 ACPI.sys[fffff8010d711361] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xffffe0008ebac600]
22:26:21.679    AVAST engine scan C:\WINDOWS
22:26:35.558    AVAST engine scan C:\WINDOWS\system32
22:36:27.395    AVAST engine scan C:\WINDOWS\system32\drivers
22:37:14.962    AVAST engine scan C:\Users\Edgar
23:06:35.356    File: C:\Users\Edgar\AppData\LocalLow\TrustWorthy\hk64tbTru0.dll  **INFECTED** Win32:SearchProtect-DU [Adw]
23:06:40.848    File: C:\Users\Edgar\AppData\LocalLow\TrustWorthy\ldrtbTru0.dll  **INFECTED** Win32:SearchProtect-DU [Adw]
23:06:43.969    File: C:\Users\Edgar\AppData\LocalLow\TrustWorthy\prxtbTru0.dll  **INFECTED** Win32:SearchProtect-DU [Adw]
23:06:46.923    File: C:\Users\Edgar\AppData\LocalLow\TrustWorthy\tbTru1.dll  **INFECTED** Win32:BHO-APX [Adw]
00:24:23.105    AVAST engine scan C:\ProgramData
00:43:29.575    Disk 0 statistics 7676198/0/0 @ 0.73 MB/s
00:43:29.580    Scan finished successfully
00:48:14.383    Disk 0 MBR has been saved successfully to "C:\Users\Edgar\Downloads\MBR.dat"
00:48:14.461    The log file has been saved successfully to "C:\Users\Edgar\Downloads\aswMBR.txt"
 
 
 
 


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 02:27 AM

Hello EsatoP and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please follow these instructions in the order given.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 EsatoP

EsatoP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 09:58 AM

Thank you for assisting me Satchfan! I've done the steps listed and attached the logs.

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 10:46 AM

Thanks for the logs.

 

It seems that the first 2 scans cleaned a lot of mess up so that's good.

 

I'm a bit busy now but will check ther logs and reply later.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 EsatoP

EsatoP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 12:12 PM

Thanks Satchfan! I'll be out for an hour or two so I'll be shutting down my computer and then I'll await for further instructions. Again, thanks for assisting me!

#6 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 03:14 PM

You really have so much on this computer that I don’t understand and some of which is likely illegal.

P2P - I see you have P2P software, (uTorrent & GreedyTorrent), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

This almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall them now. Should you decide to keep them, please don’t use them until we have finished up here.

There also seem to be some Japanese games – did you intentionally download these?

===================================================

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

At the moment it’s located here:

C:\Users\Edgar\Downloads
 

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> DefaultScope {71CB2414-A957-4F1E-9F7A-1B86197FA0A7} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-2806946674-3714234295-874986752-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2806946674-3714234295-874986752-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
FF Plugin-x32: @bittorrent.com/BitTorrentDNA -> C:\Program Files (x86)\DNA\plugins\npbtdna.dll [No File]
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [No File]
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin-x32: @ogplanet.com/npOGPPlugin -> C:\Windows\system32\npOGPPlugin.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-2806946674-3714234295-874986752-1000: thehappycloud.com/HappyCloudPlugin -> C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll [No File]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2016-06-09] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension => not found
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (DNA Plug-in) - C:\Program Files (x86)\DNA\plugins\npbtdna.dll => No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll => No File
CHR Plugin: (Nexon Game Controller) - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll => No File
CHR Plugin: (Google Update) - C:\Users\Edgar\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll => No File
CHR Plugin: (OGPlanet Game Plugin) - C:\Windows\system32\npOGPPlugin.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll => No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll => No File
S3 Epfwndis; \SystemRoot\system32\DRIVERS\Epfwndis.sys [X]
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2806946674-3714234295-874986752-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Edgar\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {0503599C-B107-4DA9-A6C1-D1B7008D5D2F} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {1A46CCE0-50A9-4565-9ECD-57CC16EFA986} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {2D903DF6-6C56-43AB-8F5D-1A5E0BA5C522} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {32001E32-E70B-4D89-91E4-2CC155E9E376} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {491E6C95-2189-4FCC-8284-0A8112370314} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {664CFB97-42DF-42DA-84DF-B8769412C0F3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {78D04CBD-2636-490F-BE57-14ECEA9CF713} - System32\Tasks\{AC234E69-962D-457B-B49A-487094F6B32A} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{41E57D2A-F778-4183-B1F7-A4A5FDF0E896}\setup.exe" -c -runfromtemp -l0x0409  Task: {7C903F99-D8E4-4A37-948A-39D97CC37021} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {7D095F0A-3AF5-4E0D-8B55-53AB1DEEBD0D} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {851D7986-2AF6-4293-85B4-28C2012648D6} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {875B4260-254E-466B-B8A5-E4CFE741004A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {974700A0-DC43-4396-BC0F-60F3AA160E2E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {98C8BFD9-080E-4297-97CF-534192381AE0} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {B44ECE1D-21AA-4DFE-92FC-28C1D88F89D9} - System32\Tasks\{7038BE5A-FAEB-446F-8F41-9D3D74395C28} => Firefox.exe hxxp://ui.skype.com/ui/0/7.12.80.101/en/go/help.faq.installer?LastError=112
Task: {B4C868BD-B9CF-46CD-9520-6FC1786194F4} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {CF67DD23-1D77-4465-8FAF-9834F468DBD0} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {F4900F29-6D89-4ED0-8E02-BADE0DE6E84D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {FE788475-6AB3-4C78-A732-6F3923729B6D} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\Edgar\gamefootage.avi:TOC.WMV [130]
AlternateDataStreams: C:\Users\Edgar\mah skills.avi:TOC.WMV [130]
C:\ProgramData\hash.dat
C:\Users\Edgar\2_mon2.dat
C:\Users\Edgar\aim7272.exe
C:\Users\Edgar\AllodsDownloader20110718.exe
C:\Users\Edgar\amddriverdownloader.exe
C:\Users\Edgar\animated-chart-setup.exe
C:\Users\Edgar\AutoHotkey_L_Install.exe
C:\Users\Edgar\ava_us_downloader.exe
C:\Users\Edgar\Black_Prophecy_US.exe
C:\Users\Edgar\BL_1100.RC3_EN.exe
C:\Users\Edgar\Brothersoft_downloader_For_Orbit_Downloader.exe
C:\Users\Edgar\BRU_Setup_WinNTx64.exe
C:\Users\Edgar\burnsetup.exe
C:\Users\Edgar\ccsetup400.exe
C:\Users\Edgar\ChromeSetup.exe
C:\Users\Edgar\CMASetup.exe
C:\Users\Edgar\Combined-Community-Codec-Pack-2009-09-09.exe
C:\Users\Edgar\CosmicBreakSetup_eng.exe
C:\Users\Edgar\CrystalDiskInfo5_0_0Shizuku-en.exe
C:\Users\Edgar\cuesplitter_setup.exe
C:\Users\Edgar\dBpoweramp-Codec-OggVorbis.exe
C:\Users\Edgar\DeathAdder_driver_v3.02_Eng.exe
C:\Users\Edgar\debutsetup.exe
C:\Users\Edgar\dMC-R14.4-Ref-Trial.exe
C:\Users\Edgar\downloader.exe
C:\Users\Edgar\DragonNestDownloaderV02.exe
C:\Users\Edgar\DragonNestDownloaderV05.exe
C:\Users\Edgar\dreamsceneseven.exe
C:\Users\Edgar\DTLite4356-0091.exe
C:\Users\Edgar\dup562exedrachac-setup.exe
C:\Users\Edgar\dxwebsetup.exe
C:\Users\Edgar\eac-1.0beta3.exe
C:\Users\Edgar\edeneternal_us_downloader.exe
C:\Users\Edgar\ffxivsetup.exe
C:\Users\Edgar\Firefox Setup 8.0.exe
C:\Users\Edgar\flac-1.2.1b.exe
C:\Users\Edgar\FOGDownloader-RoM_3_0_1_2153.exe
C:\Users\Edgar\FreeStudio.exe
C:\Users\Edgar\FreeVideoToJPGConverter.exe
C:\Users\Edgar\FreeYouTubeToMp3Converter.exe
C:\Users\Edgar\FW_EN_Downloader_0.150.0.exe
C:\Users\Edgar\gifrecordersetup.exe
C:\Users\Edgar\gimp-2.6.11-i686-setup-1.exe
C:\Users\Edgar\GPU-Z.0.7.0.exe
C:\Users\Edgar\gputemp_setup.exe
C:\Users\Edgar\grandfantasia_us_downloader.exe
C:\Users\Edgar\Gw2Setup.exe
C:\Users\Edgar\hw64_410.exe
C:\Users\Edgar\iahgames-setup-1.2.2.exe
C:\Users\Edgar\idroo-1-0-0-154-setup.exe
C:\Users\Edgar\install_flashplayer11x32au_mssd_aih.exe
C:\Users\Edgar\install_flash_player.exe
C:\Users\Edgar\IrisDownloader_20110126.exe
C:\Users\Edgar\JPEGCrops0.7.5b.exe
C:\Users\Edgar\KeePass-2.19-Setup.exe
C:\Users\Edgar\KeePass-2.21-Setup.exe
C:\Users\Edgar\KiesSetup.exe
C:\Users\Edgar\Lachesis_win7_(compatible_only)_driver_v1.10_Eng.exe
C:\Users\Edgar\LeagueofLegends_NA_Installer_05_07_13.exe
C:\Users\Edgar\LH_5.01.0000_EN_downloader.exe
C:\Users\Edgar\licecap124-install.exe
C:\Users\Edgar\limeodyssey_us_downloader.exe
C:\Users\Edgar\m-dat-converter6.exe
C:\Users\Edgar\MameUI64-0.140.1.exe
C:\Users\Edgar\mcpatcher-1.1.12_02.exe
C:\Users\Edgar\Minecraft.exe
C:\Users\Edgar\MorphVOXJunior_Install-1.exe
C:\Users\Edgar\MrTorgueSoundboard.exe
C:\Users\Edgar\neverwinter_setup.exe
C:\Users\Edgar\OBS_0_592b_Installer.exe
C:\Users\Edgar\ogpinst_us.exe
C:\Users\Edgar\OrbitDownloaderSetup.exe
C:\Users\Edgar\OriginThinSetup.exe
C:\Users\Edgar\Passage_v3_Windows.exe
C:\Users\Edgar\PowerISO47.exe
C:\Users\Edgar\Procaster.exe
C:\Users\Edgar\ProjectBlackout_Downloader.exe
C:\Users\Edgar\QuickTimeInstaller.exe
C:\Users\Edgar\raidcall_6.3.0.exe
C:\Users\Edgar\raidcall_v7.0.4.exe
C:\Users\Edgar\raidcall_v7.1.6.exe
C:\Users\Edgar\raidcall_v7.1.8.exe
C:\Users\Edgar\Rainmeter-2.2.exe
C:\Users\Edgar\RazerGameBoosterSetup_4.0.68.0.exe
C:\Users\Edgar\Razer_Synapse_Framework_V1.14.04.exe
C:\Users\Edgar\RIFT-Install-0-rvi44o.exe
C:\Users\Edgar\rubyinstaller-1.9.3-p362.exe
C:\Users\Edgar\setup.exe
C:\Users\Edgar\setup_audacity_recovery.exe
C:\Users\Edgar\Shockwave_Installer_Slim.exe
C:\Users\Edgar\SkypeSetup.exe
C:\Users\Edgar\SkypeSetupFull.exe
C:\Users\Edgar\SokuEnglishTranslation-v1_0.exe
C:\Users\Edgar\SPTDinst-v169-x64.exe
C:\Users\Edgar\StarCraft_2_NA_en-US.exe
C:\Users\Edgar\SUPERsetup.exe
C:\Users\Edgar\TeamSpeak3-Client-win64-3.0.13.1.exe
C:\Users\Edgar\TERA-Setup-HC.exe
C:\Users\Edgar\TERASetup.exe
C:\Users\Edgar\th123_update_110.exe
C:\Users\Edgar\tralih270172.exe
C:\Users\Edgar\Trickster_downloader.exe
C:\Users\Edgar\Tunngle_Setup_v4.4.4.1.exe
C:\Users\Edgar\Tunngle_Setup_v4.5.1.3.exe
C:\Users\Edgar\UnityWebPlayer.exe
C:\Users\Edgar\USB_DZMV5.EXE
C:\Users\Edgar\vcredist_x64.exe
C:\Users\Edgar\ventrilo-3.0.8-Windows-x64.exe
C:\Users\Edgar\videoconverter_setup.exe
C:\Users\Edgar\VindictusCBDownloaderV002.exe
C:\Users\Edgar\vlc-1.1.9-win32.exe
C:\Users\Edgar\VS10sp1-KB983509.exe
C:\Users\Edgar\womble-vcr-12471607.exe
C:\Users\Edgar\X16-42918_6R4CQ-KM99G-HTRGH-YYKBY-Q6FP8.exe
C:\Users\Edgar\xsplit_installer_v1.3.1309.1602.exe
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 EsatoP

EsatoP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 03:33 PM

Thanks for the quick reply satchfan! The Japanese games I did intentionally install as i've imported some software. I have uninstalled uTorrent and all other P2P programs while I was reading up on the topics beforehand while waiting for your next reply.

 

Attached is the fixlog from FRST.

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 03:45 PM

So far so good.

Let’s see if there’s anything else on your computer that shouldn’t be.

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

===================================================

Run Security Check

Download Security Check by screen317 from here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

Logs to include with next post:

CKFiles.txt
checkup.txt

 

Can you tell me how things are now.

 

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 EsatoP

EsatoP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 04:02 PM

Done! Going through the newly generated logs, there's is some things I thought I deleted way back but are still there.

 

HDD space has been static though, so no problems there. 

Attached Files



#10 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 04:54 PM

Please uninstall Debut Video Capture Software & WinRar which appear to have been acquired illicitly.

The folders also need to be deleted: they can be found here:

c:\users\edgar\debut video capture v1.48 + [crack].rar
c:\users\edgar\desktop\misc stuff from desktop\debut video capture v1.48 + [crack].rar
c:\users\edgar\downloads\setups\winrar 3.62 crack.rar


==================================================

Some of the 'Custom Maid’ files are very large and if you also look in your Downloads folder, I think you may understand where some of the space is going.

Do you have any problems other than the HDD space?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 EsatoP

EsatoP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 05:01 PM

No other problems! I was aware of the size of those files while trying to clean up the hard drive space but when I saw the free space decreasing over time while I was idle, I figured something was wrong.

 

Those folders have been deleted and the two programs have been uninstalled. Any other steps that need to be done?



#12 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 05:27 PM

If you're happy that all is now OK, I'll close the topic.

 

In future, please be careful about downloading anything you're not sure about and especially avoid torrents.

 

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 EsatoP

EsatoP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 August 2016 - 05:32 PM

Thanks very much for the help! :) Have a few beers! Tabs on me. I appreciate the help!


Edited by EsatoP, 22 August 2016 - 05:32 PM.


#14 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 22 August 2016 - 05:36 PM

Thanks, I will.

 

I appreciate the help!

You're welcome.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 satchfan

satchfan

  • Malware Response Team
  • 2,838 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:44 PM

Posted 24 August 2016 - 04:22 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users