Author Topic: Infected PC  (Read 6842 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Infected PC
« on: October 22, 2016, 12:45:58 PM »
Hi, so I suspect my pc is infected via flash drive but the said flash drive has been scanned, no threats found and then reformatted. Add new files into it and see attached picture. I also did an earlier scan with avast with default parameters but no threats were found and malwarebytes but the problem still persists. As of posting, I am running a smart scan with parameters on 2nd pic.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Infected PC
« Reply #1 on: October 22, 2016, 12:49:00 PM »

REDACTED

  • Guest
Re: Infected PC
« Reply #2 on: October 22, 2016, 01:10:12 PM »
Here's the logs so far based on the link that was provided.
« Last Edit: October 22, 2016, 02:10:53 PM by Leilrm »

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Infected PC
« Reply #3 on: October 23, 2016, 08:57:59 AM »

Fix with Farbar Recovery Scan Tool
This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on icon and select Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

How is the system running now?
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Infected PC
« Reply #4 on: October 23, 2016, 03:20:38 PM »
How can I can tell if the system is running okay now?
The only instances I could tell that my computer was infected is by inserting a flash drive(aside from that, no threats are being detected) but I'm not sure if the flash drives I have are clean. (I reformatted them all because the first pic happened, I plug them again, add files then same thing happen).

If I use mcshield and plug my flash drives right now, will my pc be safe?

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Infected PC
« Reply #5 on: October 23, 2016, 03:31:55 PM »
There is a reason why the instructions say to install McShield  ;)

REDACTED

  • Guest
Re: Infected PC
« Reply #6 on: October 23, 2016, 03:50:34 PM »
So Mcshield said no malware was detected but the flash drive's content is still the same as first pic (the flash drive opened automatically. :( )

Edit:
So I tried to be brave and opened the flash drive again after the scan was made and now it has a "drive" folder in it.

« Last Edit: October 23, 2016, 03:57:38 PM by Leilrm »

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Infected PC
« Reply #7 on: October 23, 2016, 11:45:15 PM »
Please start FRST that should be on your desktop by right clicking on it and selecting "Run as Administrator".  Once it finishes loading and tells you it is ready to run, click the scan button and wait for the log to open.  This time it should only make a FRST.txt file; please attach that here for my review.
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Infected PC
« Reply #8 on: October 24, 2016, 08:13:22 AM »
Here's the log.

REDACTED

  • Guest
Re: Infected PC
« Reply #9 on: October 24, 2016, 08:44:44 AM »
So I inserted another flash drive just to check and used mcshield.
Malware was detected the first time. It was a .exe setup copied from the pc days before. Deleted it and then ejected the drive.
Inserted it again, mcshield detected another .exe setup as malicious, I also proceeded to delete it.
Inserted it the 3rd time, same thing happened.
There's at least 4 installers copied on the flash drive.
Here's the log.

Meanwhile, Avast and Malwarebytes detected nothing.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Infected PC
« Reply #10 on: October 24, 2016, 09:03:28 AM »
Because of some forum issue, MCShield logs look like chinese when attached so this log must be copy and paste


REDACTED

  • Guest
Re: Infected PC
« Reply #11 on: October 24, 2016, 09:08:45 AM »
>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/23/2016 9:45:02 PM > Drive C: - scan started (no label ~931 GB, NTFS HDD )...



=> The drive is clean.


10/23/2016 9:45:07 PM > Drive D: - scan started (no label ~unknown size, FAT HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/23/2016 9:46:01 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/23/2016 9:49:52 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:07:58 PM > Drive C: - scan started (no label ~931 GB, NTFS HDD )...



=> The drive is clean.


10/24/2016 2:07:59 PM > Drive D: - scan started (no label ~unknown size, FAT HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:19:26 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:24:01 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:27:20 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )...


>>> E:\spekwin32_install_en_1.72.2.exe - Malware > Deleted. (16.10.24. 14.28 spekwin32_install_en_1.72.2.exe.297375; MD5: 7005d281cb518583fc988d0e915317ff)

>>> E:\Everything Research\spekwin32_install_en_1.72.2.exe - Malware > Deleted. (16.10.24. 14.28 spekwin32_install_en_1.72.2.exe.997474; MD5: 7005d281cb518583fc988d0e915317ff)


=> Malicious files   : 2/2 deleted.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:29:21 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:29:49 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )...


>>> E:\IRPalSetup.exe - Malware > Deleted. (16.10.24. 14.30 IRPalSetup.exe.292187; MD5: 4c9dde5a6ca5753b7d54c553384edbc9)

>>> E:\Everything Research\IRPalSetup.exe - Malware > Deleted. (16.10.24. 14.30 IRPalSetup.exe.318367; MD5: 4c9dde5a6ca5753b7d54c553384edbc9)


=> Malicious files   : 2/2 deleted.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:32:53 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )...


>>> E:\Everything Research\Origin2016Sr2No_H\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.313427; MD5: bfef7d0d6e8047265ca91d573aae677c)

>>> E:\Everything Research\Research\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.857536; MD5: bfef7d0d6e8047265ca91d573aae677c)

>>> E:\Origin2016Sr2No_H\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.929220; MD5: bfef7d0d6e8047265ca91d573aae677c)

>>> E:\Research\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.271618; MD5: bfef7d0d6e8047265ca91d573aae677c)


=> Malicious files   : 4/4 deleted.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________



Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Infected PC
« Reply #12 on: October 24, 2016, 09:17:59 AM »
Speckwin32 and/or Origin 2016 is infected (as is most files in demand that are downloaded with / from uTorrent).  Either the files that were downloaded or there is some infectors attached to the file(s).  The hash from the files deleted by MCShield leads to Origin2016 ( https://www.virustotal.com/en/file/38c7ca5ec86d167a345ccea822f8c89a51fe96f947675246cc06fdee5ad17736/analysis/ ). 

Your call but I would remove or get legitimate copies of those softwares.  If they are legal and legitimate then you may have to contact their respective support channels to get non-malware copies (it has been known that files have been tampered with by hackers and the respective companies not aware of the fact).
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Infected PC
« Reply #13 on: October 24, 2016, 09:34:39 AM »
They are legitimate copies. I have downloaded them straight from their respective websites. Origin is a 30 day trial version since I don't want to purchase programs that I won't really be using that much. While I was in direct contact with the developer of speckwin32 and gave me a non commercial full version of the program.
Both programs are also currently installed in my pc.
I copied their setups to my flash drive to avoid the hassle of redownloading them to my laptop (the possibility of my laptop being infected is high).
My theory is that my pc must have been already infected when I copied those files. I started suspecting the infection when a third flash drive was inserted last Saturday and all the files in it were ruined, aside from that, I had no idea. I just thought my drive was broken since malwarebytes detects nothing.

I have already removed them from the drive. Do I have to remove them from my pc or they are fine now after the fix?
Also, will you take a look at my laptop? If I don't check it and it is indeed infected, then I'm risking a repeat infection. I will post logs in a bit.
« Last Edit: October 24, 2016, 09:43:30 AM by Leilrm »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Infected PC
« Reply #14 on: October 24, 2016, 09:43:54 AM »
Please copy/paste the content of that batch file here.
Let's see what it is supposed to do.