I was on Google Chrome, when suddenly and randomly a file named “playlist.mcl” notified as downloaded at the bottom of the screen. I closed Chrome immediately.
I copied it to an old laptop and opened it with Notepad. When opened in notepad it reads:
It says .mcl is a file type associated with Windows Media Center.
I hope I’ve done the right (read: okay) thing so far, but was very shocked that Chrome downloaded this without my permission and don’t know what to do now.
Hi,
Try to send : http://www.virustotal.com and paste the link
Not sure what you mean. I assume you mean run the scan on that site and post the results?
I’m scared to open Chrome!
Okay, I tested it on the site you mentioned.
It seems to think it is fine (lots of green ticks), but it evidently isn’t.
Interestingly, it says the same file has been submitted before: the last time being 5 hours ago – but the first time it was ever submitted? Only 1 day, 1 hour ago!
can you post the virustotal scan link
The part that worries me the most is how it downloaded itself like that!
seems ok, was you on any music / video download site?
if you want a check …
Instructions https://forum.avast.com/index.php?topic=53253.0
Attach Malwarebytes and Farbar Recovery Scan Tool logs … 3 logs total
See below the box you write in … Attachments and other options
malware expert team will be online tomorrow and assist you
I had a lot of tabs open, but nothing out of the ordinary, no music or video download site, unless you count YouTube as one!
I will try those scans, but removing this file itself is easy. I want to know how it downloaded itself most of all, I didn’t know that was possible!
I feel like this is relevant. I think the file isn’t being picked up as problematic or malicious because it is normally a harmless file type…
Here’s the Malwarebytes one…
Just checking I’m supposed to post the next ones (FRST.txt and Addition.txt) here, it looks like information that shouldn’t be shared, but I don’t know anything. 
hey lupin yes please also attach the logs from frst+addation. A malwre expert will help you from there 
When malware expert is done you can edit post and delete logs if you want
Okay, here they are.
I have removed a couple of unrelated personal documents from one of them, but otherwise kept them as is.
I hope they help figure out the situation.
Those files are used on youtube if you are playing several videos something to do with Chrome
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: Task: {96A3467E-9432-4222-9F17-2B6DBD065EFD} - System32\Tasks\{46A58287-9C42-49A2-ACD5-EBA58364E769} => pcalua.exe -a C:\Users\Groose\Downloads\q10-1.2.exe -d C:\Users\Groose\Downloads C:\Users\Groose\Downloads\q10-1.2.exe AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Here is the log.
If it is helpful, Q10 is a writing program which I downloaded. I believe the q10-1.2.exe file is the installer.
Do you mean .hcl is a file type used by Youtube…? I’m not sure what that means in this context, since it randomly downloaded itself and the content of the file () seems malicious…
Sorry for being so clueless, thanks for helping…
Could you rename this file C:\Users\Groose\Downloads\playlist.mcl to playlist.txt and attach it to your next post
Here you go!
I opened it on an old laptop to be safe before, but open it at your own risk, I guess.
All I did was replace “.mcl” with “.txt”, I haven’t opened it myself (too scared :P).
52.89.59 - amazonaws.com - United States - Amazon Technologies Inc. ok this is where it is directing to
https://urlquery.net/report.php?id=1444677598995
https://www.virustotal.com/en-gb/domain/tiwizard-media.s3.amazonaws.com/information/
https://www.reasoncoresecurity.com/domain-tiwizard-media.s3.amazonaws.com.aspx
General concensus appears to be benign… Are you experiencing any problems at all ?