Do I Have A Trojan? Solved

Page 3 of 5 FirstFirst 12345 LastLast
  1.    22 Jun 2016 #21

    OK...this is better:)

    Something weird is going on.
    I couldn't boot up WD Offline with a USB drive or disc I made the other day.
    If I did it right the command prompt showed nothing with the second command.
    (I did the first then hit entered and got results...the second command did nothing)
    Perhaps I got the spaces wrong.
    And right now the link to explain how to post the results timed out.
    I assume this new posting technique keeps my information safe from others...yes?

    Bill, you say "now is the time to object" if I don't want to get rid of the Recovery completely but I don't know what that would entail.

    Well it's going on for 1:00am
    I think I'll retire.
      My ComputerSystem Spec

  2. Slartybart's Avatar
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       22 Jun 2016 #22

    Oh ..... I should explain more, but my posts are always so long to begin with :)

    The WD defender not booting - could be a few things, but that's a side path you can explore after going down the road you're on now.

    dir lists the contents of D and > directs it into the file The command did do something, you just didn't see any output because the greater than symbol > directs the output to the file.

    Sometimes the forum does timeout - it normally happens when I'm typing a long post and I lose the text because I wasn't paying attention.

    The new posting technique is to post file attachments - you're probably used to attaching images. It is no more or less secure than posting images ... but there shouldn't be anything confidential in a directory listing. If I see something that should not be in the public sphere, I'll ask you or a admin to take down the attachment.
    Tenforum members would not intentionally ask you to post any sensitive information. It does happen when an image or report includes something but it is quickly corrected. But.... don't worry about a directory list of the OEM recovery parttion.

    Please post the reagentc information and the %TEMP%\listDrvD.txt file
    You'll have to re-run the reagentc command
    The listDrvD.txt should exist

    %TEMP% is a shortcut way of getting to the TEMP folder under your user
    but AppData is a hidden folder, so getting there is easier using %TEMP%
    You can put %TEMP% in the File Explorer address field to get there

    What would an objection entail? You would have to leave the D: drive alone and test the file flagged as malware. If you think this is a long thread ... getting the file out of the wim has a few steps that are more technical than a directory list redirected to a file, but they aren't that difficult.

    I'll wait for the output - thanks
      My ComputerSystem Spec

  3.    22 Jun 2016 #23

    Click image for larger version. 

Name:	thisfile explorer.jpg 
Views:	2 
Size:	160.7 KB 
ID:	86345Click image for larger version. 

Name:	cp.jpg 
Views:	3 
Size:	112.9 KB 
ID:	86346

    I don't understand the new technique of uploading files here.
    I got as far as changing my profile setting.
    But I don't know where I'm suppose to paste this "%TEMP%\listDrvD.txt"
      My ComputerSystem Spec

  4.    22 Jun 2016 #24

    I should enclose that for the last few weeks I've been downloading a lot of zipped files from who knows where.
    They've been tools for Audacity, VLC and (dll's & VST's)
    It was about 5 days ago when I was on Amazon and my cursor started moving on it's own and not just drifting.
    The page kinda went berserk.
    I closed it and did the usual scans.
    I then decided to nuke my PC and reinstall W10 so I did.
    (Windows will let me reinstall 10 anytime I want on this PC)

    WD is the only program that finds this file in question dangerous and only in full search.
    It successfully deleted it 2 times already but it always reappears.
    I'm in the process of deleting it the third time at this moment.

    I have two questions.

    Can I put the Recovery onto my external Seagate without effecting my movie/music files already on?
    And if I do can I still use system restore on my PC without the "D" recovery?

    WD just finished.
    Here's the results.
    Attached Thumbnails Attached Thumbnails latest.JPG  
    Last edited by Koukol; 22 Jun 2016 at 14:37. Reason: picture added
      My ComputerSystem Spec

  5. Slartybart's Avatar
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       22 Jun 2016 #25

    - recovery is disabled
    - listDrvD.txt is in %TEMP%

    There are two settings in a TF profile that affect uploading files,
    Enhanced uploading on
    Enhanced uploading off (basic is easier for newcomers and what is described in the tutorial)

    If your upload dialog looks like the one below, you're using the basic one - that's good.
    If your upload window looks like the one in lehnerus2000 's post, then you should go back to your profile settings and set enhanced attachment ... off

    Click image for larger version. 

Name:	tfEnhAttachOff.PNG 
Views:	28 
Size:	5.8 KB 
ID:	86367

    To upload it follow the tutorial, when you get to
    4. Click/tap on an empty Browse button. (see screenshot below)

    You should be able to paste %TEMP%\listDrvD.txt into the box instead of browsing.

    Click image for larger version. 

Name:	tfUpload.png 
Views:	27 
Size:	68.1 KB 
ID:	86366
    press the Upload button

    If it doesn't take ... then browse to %TEMP% and select listDrvD.txt
    After selecting listDrvD.txt press the Upload button

    Yes, you could put D: on your external Seagate drive and no it won't affect your other files
    Windows System Restore will be fine

    I will look at the listDrvD.txt when you upload it.

    I don't expect to find anything out of the normal, but 35 GBs is large for an OEM recovery. I'm wondering if you might have used D: for other storage. The list will answer that.
      My ComputerSystem Spec

  6.    22 Jun 2016 #26

    I hope this worked
    Do I Have A Trojan? Attached Files
      My ComputerSystem Spec

  7. Slartybart's Avatar
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       23 Jun 2016 #27

    After reviewing your thread and all the data, I figured out that a better way to resolve this.

    Your machine has, what I can best determine, a false positive malware detection. It is only detected by Windows Defender(WD), the suspect file is in the HP OEM Recovery partition, and false positives by WD for this threat have been reported for a few years (always seems to be related to Wild Tangent games-distributed with many OEM machines).

    Our discussion and analysis thus far centered around manually saving and then deleting the OEM recovery partition. Rather than using a brute force method, it dawned on me to try using the HP Recovery Manager to create the HP install media and to delete the partition.

    Try is the operative word - I don't know if the HP Recovery Manager still knows about the OEM recovery partition because your machine was upgraded to Win10. I think it should, but you'll only know if you are able to successfully launch it.

    There are two operations that the utility offers

    1) Create the OEM Recovery media (which is Win8 - as the machine originally had out-of-the-box)
    This is really only useful if you want to restore the machine to the original factory condition for resale

    If you want plain vanilla Win8 (preferred by techies) you can grab the ISO from Microsoft using the Win8 Media Creation Tool.
    What you lose is all the HP OEM bloatware - HP utilities, games, and some software packaged with the machine.
    Review the software sections - you might use some of the software, but most of it is unnecessary - hence bloatware
    HP ENVY dv7 Product Specifications
    The model might not match your model, but probably contains the same bloatware - you can visit the HP for your model to double check.

    If you really want the software after re-installing plain vanilla Win8, you can download the software from HP. The only difficulty I had was with some CyberLink software - there are OEM registry entries that are only created by the HP Install media. These entries determine your eligibility to use the CyberLink software. If you don't use the CyberLink software, this is a moot point.

    2) Remove the OEM Recovery Partition
    This has been the intent of the thread because that is where the suspicious file lives

    You'll have to make the decision to create the HP OEM Recovery media or create plain vanilla Win8 install media.
    The HP Recovery partition is 35 GBs, so you'll probably need a 64 GB Thumb drive to store it. I don't recommend trying to put it on DVDs - 35 GBs would require 7 or 8 discs. It's a pain to create and a pain to re-install with that many.
    Plain vanilla Win8 install media fits on a 4GB Thumb drive or one DVD.
    Since we're talking about Win8 recovery media and your machine is now Win10, neither Win8 re-install mechanisms are technically necessary. Your machine has a Digital Entitlement to Win10, so you can re-install that any time without having to re-install Win8 and do the upgrade.

    What do I do on my machines? I create the OEM recovery media when I first open the box and then Clean install with the plain vanilla install media. A clean install does not have the OEM Recovery partition, so I don't have to make any decisions about it ... but your situation is a bit different.

    The question is: Does the HP Recovery Manager still work on Win10

    Let's see -> From the Start screen, type recovery, and then select HP Recovery Manager.
    For detailed information on Backing up, restoring, and recovering, see See Chapter 7 in the ENVY dv7: Maintenance and Service Guide

    If the HP Recovery Manager still works
    You decide ...
    create the OEM Recovery on a Thumb drive
    -- or --
    delete the OEM Recovery partition

    If the HP Recovery Manager does NOT work, then the decision is still the same. Make a copy of the OEM Recovery partition or just delete the OEM Recovery partition.

    The preferred method is to use the HP Recovery Manager: Delete OEM Recovery partition since it also tells the system to not look for it

    My recommendation is to delete the OEM Recovery partition. You really don't need the Win8 HP OEM Recovery media.

      My ComputerSystem Spec

  8.    23 Jun 2016 #28

    Bill, you definitely have gone above and beyond with your help.
    It's greatly appreciated.

    It appears W10 got rid of my HP Recovery judging by these posts... (I couldn't find it)
    How can i get back HP Recovery Manager for Windows 10 - HP Support Forum - 5291710

    Solved: HP Recovery Manager Blocked After Windows 10 Upgrade - HP Support Forum - 5170752

    I'm hoping I don't have to reinstall W10 again.
    I just did it 5 days ago and it took me two full days to get set-up again and... and I'm still not finished.
    Of course if it's really recommended I will.

    I can easily find room on one of my external drives for the "D".
      My ComputerSystem Spec

  9. Slartybart's Avatar
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       23 Jun 2016 #29

    Ok, that's why I had to ask you if HP Recovery Mgr worked :)

    Did you follow the fix in Solved: HP Recovery Manager Blocked After Windows 10 Upgrade - HP Support Forum - 5170752?
    No? That is the right answer.

    Since the HP Recovery Manager with the Win8 Recovery partition doesn't work on Win10 and copying it to your external drive won't help because .... well the HP Recovery Manager won't run.
      My ComputerSystem Spec

  10. Slartybart's Avatar
    Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       23 Jun 2016 #30

    The only way to get HP Recovery Manager to run is to put it on a Thumb drive and boot from that - essentially by-passing Win10 in the boot process. I've offered that a few times. I understand your position "I have all this space available - why not use it".
    I thought sure why not, then changed my mind because of the work required to make it boot off of partition on an external drive.

    Where does that leave you?
    The only immediate solution seems to be to manually delete the partition

    Clean up the HP Recovery Manager - you don't want it to think there is a HP Recovery partition
    Clean Boot - Perform in Windows 10 to Troubleshoot Software Conflicts - Windows 10 Forums
    Only do PART ONE

    Uninstall HP software that is not needed
    Most of it is not needed, exceptions would be HP printers or HP peripheral devices
    See the list at the bottom of this post

    Restart the machine after the software cleanup

    Manually delete the HP Recovery partition

    Reclaim the space for your use

    Optional: Create Win8 Install media

    This is the list from the Envy page I previously linked. Some of the pgms won't show up in Programs and Features. Some are drivers, others are trialware and might not be in the list until youtry them. I don't know what you decided to use, so I left those as Your choice (everything is your choice - it's your machine ). A 3rd category are those pgms that were migrated to Win10 Apps, some got new names - but they won't appear n Programs & Features. And finally some pgms were not carried over in the upgrade.

    Compare the list below to what you see in Prgm & Feats
    Take my recommendation to uninstall or decide that you want to keep the pgm.

    Microsoft Office 2010 Transition Your choice
    Windows Essentials 2012 Your choice
    Windows Live Your choice
    Microsoft App Store upgraded to Win10 App
    Getting started with Windows 8 Uninstall
    Communication Chat
    HP MyRoom Premium: 4-way IM, ..... Your choice
    Skype Uninstall
    Xbox Live upgraded to Win10 App
    Solitaire Not carried over
    Mahjong Not carried over
    HP Games Uninstall
    HP Games powered by WildTangent; ..... Uninstall
    HP Help Support
    HP Online User Guide Uninstall
    HP Recovery Manager: Uninstall
    HP Support Assistant: Uninstall
    HP Utility Center Uninstall
    HP ePrint Uninstall
    HP CoolSense Your choice
    HP ProtectSmart Hard Drive Protection Your choice
    Shopping Services
    HP+ Best Offers: Promotions ..... Uninstall
    Books, Music, Photos, and Videos
    Amazon Kindle e-reader Your choice
    Snapfish Your choice
    Netflix Your choice
    iHeart Radio Your choice
    HP Connected Music by Meridian Your choice
    Basic video player Uninstall
    Zune video player upgraded to Win10 App
    Basic music player Uninstall
    Zune music player upgraded to Win10 App
    Beats Audio Your choice
    HP Connected Photo powered by Snapfish Your choice
    Adobe Shockwave Player Uninstall
    Cyberlink YouCam DE Your choice
    Cyberlink Power DVD Premium BD Your choice
    Cyberlink Mediasuite Your choice
    Cyberlink Power2Go Your choice
    Cyberlink LabelPrint Your choice
    Cyberlink Power Director Your choice
    Cyberlink Photo Director Your choice
    Productivity Tools
    Internet Explorer 10 Not carried over
    HP Magic Canvas Your choice
      My ComputerSystem Spec

Page 3 of 5 FirstFirst 12345 LastLast

Related Threads
.ecc Extension: Trojan ? Can't Seem To Delete Them ? Help please in AntiVirus, Firewalls and System Security
Hello, I received an eMail from a friend who said that any file with an .ecc extension is one of those Crypto ransom ware trojans. True ? My old PC7 PC was wiped out, literally, a few months ago, so I am literally paranoid about this.
Solved Trojan Detected in OneDrive in AntiVirus, Firewalls and System Security
The odd thing is I don't even use OneDrive except to automatically upload photos from my Android phone to my desktop; nothing has been detected on the phone. I've run another full scan with Bitdefender and Malwarebytes Anti-Malware (free) without...
Trojan in My Registry in AntiVirus, Firewalls and System Security
I have an older 15 inch HP with W10 that I recently updated. I have always had McAfee on the computer, it has never lapsed. I have also run Spybot, Malwarebytes, Google Ghostery and ABP Adblock Popup. When I recently bought a new printer...
I have a backdoor Trojan (malware) in AntiVirus, Firewalls and System Security
I have a backdoor Trojan (malware) on my computer and I couldn't be bothered to reformat my PC until the opportunity was given to me in windows 10. I still want to keep my PC but I want the malware to be completely gone, so in my situation would...
Solved Trojan removed by Defender in AntiVirus, Firewalls and System Security
With the last couple of builds it seems that Defender is always finding stuff to remove every time I start Windows 10. This morning I removed Trojan Win32/GHEUGENT.Alplock after Defender quarantined it and marked it severe. Right now I am running...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:21.
Find Us