Hi, so I suspect my pc is infected via flash drive but the said flash drive has been scanned, no threats found and then reformatted. Add new files into it and see attached picture. I also did an earlier scan with avast with default parameters but no threats were found and malwarebytes but the problem still persists. As of posting, I am running a smart scan with parameters on 2nd pic.
http://i65.tinypic.com/fjnkzo.png
Here’s the logs so far based on the link that was provided.
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
How is the system running now?
How can I can tell if the system is running okay now?
The only instances I could tell that my computer was infected is by inserting a flash drive(aside from that, no threats are being detected) but I’m not sure if the flash drives I have are clean. (I reformatted them all because the first pic happened, I plug them again, add files then same thing happen).
If I use mcshield and plug my flash drives right now, will my pc be safe?
There is a reason why the instructions say to install McShield 
So Mcshield said no malware was detected but the flash drive’s content is still the same as first pic (the flash drive opened automatically. 
)
Edit:
So I tried to be brave and opened the flash drive again after the scan was made and now it has a “drive” folder in it.
Please start FRST that should be on your desktop by right clicking on it and selecting “Run as Administrator”. Once it finishes loading and tells you it is ready to run, click the scan button and wait for the log to open. This time it should only make a FRST.txt file; please attach that here for my review.
Here’s the log.
So I inserted another flash drive just to check and used mcshield.
Malware was detected the first time. It was a .exe setup copied from the pc days before. Deleted it and then ejected the drive.
Inserted it again, mcshield detected another .exe setup as malicious, I also proceeded to delete it.
Inserted it the 3rd time, same thing happened.
There’s at least 4 installers copied on the flash drive.
Here’s the log.
Meanwhile, Avast and Malwarebytes detected nothing.
Because of some forum issue, MCShield logs look like chinese when attached so this log must be copy and paste
MCShield AllScans.txt <<<
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/23/2016 9:45:02 PM > Drive C: - scan started (no label ~931 GB, NTFS HDD )…
=> The drive is clean.
10/23/2016 9:45:07 PM > Drive D: - scan started (no label ~unknown size, FAT HDD )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/23/2016 9:46:01 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/23/2016 9:49:52 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:07:58 PM > Drive C: - scan started (no label ~931 GB, NTFS HDD )…
=> The drive is clean.
10/24/2016 2:07:59 PM > Drive D: - scan started (no label ~unknown size, FAT HDD )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:19:26 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:24:01 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:27:20 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )…
E:\spekwin32_install_en_1.72.2.exe - Malware > Deleted. (16.10.24. 14.28 spekwin32_install_en_1.72.2.exe.297375; MD5: 7005d281cb518583fc988d0e915317ff)
E:\Everything Research\spekwin32_install_en_1.72.2.exe - Malware > Deleted. (16.10.24. 14.28 spekwin32_install_en_1.72.2.exe.997474; MD5: 7005d281cb518583fc988d0e915317ff)
=> Malicious files : 2/2 deleted.
::::: Scan duration: (Interactive mode) ::::
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:29:21 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:29:49 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )…
E:\IRPalSetup.exe - Malware > Deleted. (16.10.24. 14.30 IRPalSetup.exe.292187; MD5: 4c9dde5a6ca5753b7d54c553384edbc9)
E:\Everything Research\IRPalSetup.exe - Malware > Deleted. (16.10.24. 14.30 IRPalSetup.exe.318367; MD5: 4c9dde5a6ca5753b7d54c553384edbc9)
=> Malicious files : 2/2 deleted.
::::: Scan duration: (Interactive mode) ::::
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
10/24/2016 2:32:53 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )…
E:\Everything Research\Origin2016Sr2No_H\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.313427; MD5: bfef7d0d6e8047265ca91d573aae677c)
E:\Everything Research\Research\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.857536; MD5: bfef7d0d6e8047265ca91d573aae677c)
E:\Origin2016Sr2No_H\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.929220; MD5: bfef7d0d6e8047265ca91d573aae677c)
E:\Research\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.271618; MD5: bfef7d0d6e8047265ca91d573aae677c)
=> Malicious files : 4/4 deleted.
::::: Scan duration: (Interactive mode) ::::
Speckwin32 and/or Origin 2016 is infected (as is most files in demand that are downloaded with / from uTorrent). Either the files that were downloaded or there is some infectors attached to the file(s). The hash from the files deleted by MCShield leads to Origin2016 ( https://www.virustotal.com/en/file/38c7ca5ec86d167a345ccea822f8c89a51fe96f947675246cc06fdee5ad17736/analysis/ ).
Your call but I would remove or get legitimate copies of those softwares. If they are legal and legitimate then you may have to contact their respective support channels to get non-malware copies (it has been known that files have been tampered with by hackers and the respective companies not aware of the fact).
They are legitimate copies. I have downloaded them straight from their respective websites. Origin is a 30 day trial version since I don’t want to purchase programs that I won’t really be using that much. While I was in direct contact with the developer of speckwin32 and gave me a non commercial full version of the program.
Both programs are also currently installed in my pc.
I copied their setups to my flash drive to avoid the hassle of redownloading them to my laptop (the possibility of my laptop being infected is high).
My theory is that my pc must have been already infected when I copied those files. I started suspecting the infection when a third flash drive was inserted last Saturday and all the files in it were ruined, aside from that, I had no idea. I just thought my drive was broken since malwarebytes detects nothing.
I have already removed them from the drive. Do I have to remove them from my pc or they are fine now after the fix?
Also, will you take a look at my laptop? If I don’t check it and it is indeed infected, then I’m risking a repeat infection. I will post logs in a bit.
Please copy/paste the content of that batch file here.
Let’s see what it is supposed to do.
Which batch file?
The one on the usb stick.
Usually we ask for seperate threads for each system but since this seems to be a related infection please post the laptop files here but add laptop to the log names (you may have to do a Save as … in Notepad).
And the contents of that batch file on the USB drive would be very informative.
I can’t seem to find any batch files(.bat, .cmd, .btm) in it or I may have no idea what to look for.
It does show in your images.
Could be you need to enable “show hidden files and folders”