Hello:
Please help me if you can..........
Something disabled Windows Defender and is letting very large bogus files onto my computer so I installed the latest free version of Avast. I am using win 8.1 in a Lenovo computer. I just discovered that some mystery files are being inserted into my computer by the dozens and these mystery files are extremely large so the hard drive was almost filled up!
Here is what I found by using an app called WinDirStat:
the mystery files look like this: 12754694899610736661_2853498758043839360_4480_4480 ~ 960 MB
and this: ver1
they are sent to this location in my computer: C:\$Recycle.Bin\S-1-5-21-2712117882-3860235528-2112810399-1002
When I open the mystery file with FIREFOX, it looks like this:
file:///C:/recyclebin/12754694899610736661_2853498758043835520_3840_3840
which is an application/octet-stream (960 MB) from C:\recyclebin
Note: file opens in Firefox but there is no information in the page and, after selecting Ctl - U, there is NO code at all!
These files are still coming into my computer after installing Avast so PLEASE help me if you can. I can catch these files with the help of WinDirStat but want to stop them altogether. I believe a virus has invaded my PC and had hoped that Avast would catch and kill it but not so far!
Thanks,
jim
FRST.txt
Please help me if you can..........
Something disabled Windows Defender and is letting very large bogus files onto my computer so I installed the latest free version of Avast. I am using win 8.1 in a Lenovo computer. I just discovered that some mystery files are being inserted into my computer by the dozens and these mystery files are extremely large so the hard drive was almost filled up!
Here is what I found by using an app called WinDirStat:
the mystery files look like this: 12754694899610736661_2853498758043839360_4480_4480 ~ 960 MB
and this: ver1
they are sent to this location in my computer: C:\$Recycle.Bin\S-1-5-21-2712117882-3860235528-2112810399-1002
When I open the mystery file with FIREFOX, it looks like this:
file:///C:/recyclebin/12754694899610736661_2853498758043835520_3840_3840
which is an application/octet-stream (960 MB) from C:\recyclebin
Note: file opens in Firefox but there is no information in the page and, after selecting Ctl - U, there is NO code at all!
These files are still coming into my computer after installing Avast so PLEASE help me if you can. I can catch these files with the help of WinDirStat but want to stop them altogether. I believe a virus has invaded my PC and had hoped that Avast would catch and kill it but not so far!
Thanks,
jim
FRST.txt
- Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-05-2015 01
Ran by jimrich (administrator) on IDEA-PC on 22-05-2015 14:47:50
Running from C:\Users\jimrich\Documents\Downloads
Loaded Profiles: jimrich (Available Profiles: jimrich & DefaultAppPool)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\ksys2kh8hxd\doguhkdbnupvw.exe
() C:\ksys2kh8hxd\vezkoophwj.exe
() C:\Windows\jmesoft\Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
(Seifert) C:\Program Files (x86)\WinDirStat\windirstat.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Expression\Web 4\ExpressionWeb.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Trend Micro Inc.) C:\Users\jimrich\AppData\Local\Temp\HouseCall32\housecall.bin
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\Msagent\AGENTSVR.EXE
(Microsoft Corporation) C:\Windows\System32\AtBroker.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-05-21] (Avast Software s.r.o.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoLowDiscSpaceChecks] 1
HKU\S-1-5-20\...\Policies\Explorer: [NoLowDiscSpaceChecks] 1
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-01-20] (Piriform Ltd)
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\...\Run: [CCleaner] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-01-20] (Piriform Ltd)
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\...\Policies\Explorer: [NoLowDiscSpaceChecks] 1
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\...\MountPoints2: {b8d349c4-e036-11e3-bfd8-7427ea659b0c} - "E:\ZTE_Handset_USB_Driver.exe"
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Users\jimrich\Desktop\dds.scr [688992 2015-05-22] (Swearware)
HKU\S-1-5-18\...\Policies\Explorer: [NoLowDiscSpaceChecks] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-05-21] (Avast Software s.r.o.)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => No File
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.facebook.com/
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo13.msn.com
HKU\S-1-5-21-2712117882-3860235528-2112810399-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
URLSearchHook: HKLM-x32 - (No Name) - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - No File
URLSearchHook: HKLM-x32 - (No Name) - {01e86e69-a2f8-48a0-b068-83869bdba3d0} - No File
URLSearchHook: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 - (No Name) - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - No File
URLSearchHook: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 - (No Name) - {01e86e69-a2f8-48a0-b068-83869bdba3d0} - No File
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&...&barid={AEF33787-E34F-11E2-BE77-7427EA659B0C}
SearchScopes: HKLM-x32 -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&...&barid={AEF33787-E34F-11E2-BE77-7427EA659B0C}
SearchScopes: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> DefaultScope {85A60A59-D3D8-468F-B598-FB4393789EF4} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?pc=COSP&...form=CONBDF&conlogo=CT3330961&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> {0832D041-4A26-4643-9A19-11934F0C7A7A} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=407956&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> {0FE177A5-9EA9-4517-8404-4BFC40A604A1} URL = http://search.conduit.com/Results.aspx?ctid=CT3300018&SearchSource=45&UM=2&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> {1102A467-EE93-44C6-BAAF-2920445689D4} URL =
SearchScopes: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> {85A60A59-D3D8-468F-B598-FB4393789EF4} URL = https://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-05-21] (Avast Software s.r.o.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-04-15] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-05-21] (Avast Software s.r.o.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-15] (Oracle Corporation)
Toolbar: HKLM-x32 - No Name - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - No File
Toolbar: HKLM-x32 - No Name - {01e86e69-a2f8-48a0-b068-83869bdba3d0} - No File
Toolbar: HKLM-x32 - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
Toolbar: HKU\S-1-5-21-2712117882-3860235528-2112810399-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {4FF78044-96B4-4312-A5B7-FDA3CB328095}
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - No File
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 192.168.15.1
Files to move or delete:
====================
C:\ProgramData\Lenovo-3509.vbs
C:\ProgramData\Lenovo-3574.vbs
Some zero byte size files/folders:
==========================
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\wuaueng.dll
C:\Windows\System32\wups2.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-05-22 11:01
==================== End of log ============================