Windows 10: Do I Have A Trojan?

"One more piece of the puzzle: I'd like to see your Disk Management"





*Smile

 

I guess HP products list the Recovery as "D"
It also must be that the WD fast scan omits the Recovery drive while the full scan doesn't.

 

Thanks, just as I thought - GPT drive. Now I have to think a bit for the correct id to make it not an OEM partition.

Yeah sometimes HP gives Recovery a letter, sometimes not.

Koukol, you've done great with all of my requests - thank you.

I'm running out of steam right now, maybe in a few hours or in the morning I'll pick up your thread again.

Did you run the other scans I posted? Did they find the file as a threat? Did they clean up anything else?

There are two paths
1) backup the D: drive. Not difficult, but time consuming on a forum. and it's 35+ GBs - you'll need a place to put it - a new 64 GB thumbdrive is what I would recommend. So it's time and money
It would be nice to have install discs (you didn't by chance make them when you got the machine did you?)
Creating them now is an entirely different project. That's sort of why I was trying to save the D: drive. With a little tweaking it could be your OEM install media.

Remind me - what version was upgraded (7 or 8)?

2) Nuke the D drive after checking what's on it. If it's the previous Win OEM install pkg, then you probably won't use it ever again.
You solve the malware question and you gain 35+ GBs

Think about what you want to do next - save or Nuke (after verifying the contents) D:
Me - don't worry about me - I'm in for the duration, whatever you decide.

Bill
.

 

", you've done great with all of my requests - thank you.
I'm running out of steam right now, maybe in a few hours or in the morning I'll pick up your thread again.
Did you run the other scans I posted? Did they find the file as a threat? Did they clean up anything else?"


Bill, it's you who should be thanked.
It's kind people like you who make the internet great.

My PC came with W8 and I hated it.
I preferred Vista on my older laptop.
And despite a few flaws I now prefer W10 along with Firefox and don't want to go back.

I haven't finished all the scans since I've been busy making a Birthday card for my sister-in-law for tomorrow.
I'm still wondering if I need to actually access the trojan in question since I don't know how to find it.
I was under the impression I was not to touch the Recovery drive.

If I remove it completely can I still do a System setback ( restore) in the Recovery options?
I rely on this heavily.
As I said whatever I did yesterday I successfully restored my PC to a few days ago when I made a restore point after WD supposedly got rid of this trojan (?)
If I could nuke all games on my PC I'd gladly do it even if it didn't get rid of this problem.
I've no idea how that game got on my PC's Recovery since I've never downloaded one in my life.

I'll try them this evening.

Cheers!

 

OK, as I suspected I don't know how to get into my Recovery.

I went VirusUploader and could only add the name in a search that came up with nothing.
I then downloaded VTUploader and couldn't figure out what to do.
One folder was too big and the others empty.
(See grabs)






I tried the above "WindowsRE" folder above and got this message.

 

Ok, don't sweat this tonight ... enjoy making your sister's birthday card.

I still have to find the correct value for the partition id - easy - just have to look it up.

Knowing it was Win8 is a good thing - you could if you wanted to go back, download hte ISO. But knowing you're good with Win10 - makes it even easier. You can download the ISO for Win10 as well. Win7 would have been an issue ... but that's no germane - cool.

Also knowing that you can access the D: partition - might make it easier.

I think we'll just nuke D: after two last checks:

1) Command Prompt (Admin)
enter the following commands

reagentc /info
dir d:\ /a /s > %TEMP%\listDrvD.txt
Post a screen shot of Cmd window and close it

On your next post, attach (See: Upload Screenshots or Files)

%TEMP%\listDrvD.txt
Just paste the entire line above in the File name: field.




reagentc tells you where the Window Recovery is located - it's a bit cryptic, but figuring it out comes from a lot of the disk information you posted before.

dir lists the contents of D and > directs it into the file.

After I look at those two things, I think I'll just give you instructions to remove the OEM Recovery.

If you have any questions or objections - now is the time.

Well, I still have to write them up and you still have to read and execute them, so there's plenty of time *Wink

 

I was successful getting some info with "reagentc /info"
But "dir d:\ /a /s > %TEMP%\listDrvD.txt" came up with nothing.
(I don't know how to get the pasted text back to normal)

 

OK...this is better*Smile

Something weird is going on.
I couldn't boot up WD Offline with a USB drive or disc I made the other day.
If I did it right the command prompt showed nothing with the second command.
(I did the first then hit entered and got results...the second command did nothing)
Perhaps I got the spaces wrong.
And right now the link to explain how to post the results timed out.
I assume this new posting technique keeps my information safe from others...yes?

Bill, you say "now is the time to object" if I don't want to get rid of the Recovery completely but I don't know what that would entail.

Well it's going on for 1:00am
I think I'll retire.

 

Oh ..... I should explain more, but my posts are always so long to begin with *Smile

The WD defender not booting - could be a few things, but that's a side path you can explore after going down the road you're on now.

dir lists the contents of D and > directs it into the file The command did do something, you just didn't see any output because the greater than symbol > directs the output to the file. *Eek

Sometimes the forum does timeout - it normally happens when I'm typing a long post and I lose the text because I wasn't paying attention. *Sad

The new posting technique is to post file attachments - you're probably used to attaching images. It is no more or less secure than posting images ... but there shouldn't be anything confidential in a directory listing. If I see something that should not be in the public sphere, I'll ask you or a admin to take down the attachment.
Tenforum members would not intentionally ask you to post any sensitive information. It does happen when an image or report includes something but it is quickly corrected. But.... don't worry about a directory list of the OEM recovery parttion.

Please post the reagentc information and the %TEMP%\listDrvD.txt file
You'll have to re-run the reagentc command
The listDrvD.txt should exist

%TEMP% is a shortcut way of getting to the TEMP folder under your user
C:\Users\Koukol\AppData\Local\Temp
but AppData is a hidden folder, so getting there is easier using %TEMP%
You can put %TEMP% in the File Explorer address field to get there

What would an objection entail? You would have to leave the D: drive alone and test the file flagged as malware. If you think this is a long thread ... getting the file out of the wim has a few steps that are more technical than a directory list redirected to a file, but they aren't that difficult.

I'll wait for the output - thanks

 

I don't understand the new technique of uploading files here.
I got as far as changing my profile setting.
But I don't know where I'm suppose to paste this "%TEMP%\listDrvD.txt"

 

I should enclose that for the last few weeks I've been downloading a lot of zipped files from who knows where.
They've been tools for Audacity, VLC and Paint.net (dll's & VST's)
It was about 5 days ago when I was on Amazon and my cursor started moving on it's own and not just drifting.
The page kinda went berserk.
I closed it and did the usual scans.
I then decided to nuke my PC and reinstall W10 so I did.
(Windows will let me reinstall 10 anytime I want on this PC)

WD is the only program that finds this file in question dangerous and only in full search.
It successfully deleted it 2 times already but it always reappears.
I'm in the process of deleting it the third time at this moment.

I have two questions.

Can I put the Recovery onto my external Seagate without effecting my movie/music files already on?
And if I do can I still use system restore on my PC without the "D" recovery?

WD just finished.
Here's the results.

 

Thanks
- recovery is disabled
- listDrvD.txt is in %TEMP%

There are two settings in a TF profile that affect uploading files,
Enhanced uploading on
Enhanced uploading off (basic is easier for newcomers and what is described in the tutorial)

If your upload dialog looks like the one below, you're using the basic one - that's good.
If your upload window looks like the one in lehnerus2000 's post, then you should go back to your profile settings and set enhanced attachment ... off





To upload it follow the tutorial, when you get to
OPTION TWO
4. Click/tap on an empty Browse button. (see screenshot below)

You should be able to paste %TEMP%\listDrvD.txt into the box instead of browsing.



press the Upload button

If it doesn't take ... then browse to %TEMP% and select listDrvD.txt
After selecting listDrvD.txt press the Upload button

Yes, you could put D: on your external Seagate drive and no it won't affect your other files
Windows System Restore will be fine

I will look at the listDrvD.txt when you upload it.

I don't expect to find anything out of the normal, but 35 GBs is large for an OEM recovery. I'm wondering if you might have used D: for other storage. The list will answer that.

 

After reviewing your thread and all the data, I figured out that a better way to resolve this.

Your machine has, what I can best determine, a false positive malware detection. It is only detected by Windows Defender(WD), the suspect file is in the HP OEM Recovery partition, and false positives by WD for this threat have been reported for a few years (always seems to be related to Wild Tangent games-distributed with many OEM machines).

Our discussion and analysis thus far centered around manually saving and then deleting the OEM recovery partition. Rather than using a brute force method, it dawned on me to try using the HP Recovery Manager to create the HP install media and to delete the partition.

Try is the operative word - I don't know if the HP Recovery Manager still knows about the OEM recovery partition because your machine was upgraded to Win10. I think it should, but you'll only know if you are able to successfully launch it.

There are two operations that the utility offers

1) Create the OEM Recovery media (which is Win8 - as the machine originally had out-of-the-box)
This is really only useful if you want to restore the machine to the original factory condition for resale

If you want plain vanilla Win8 (preferred by techies) you can grab the ISO from Microsoft using the Win8 Media Creation Tool.
What you lose is all the HP OEM bloatware - HP utilities, games, and some software packaged with the machine.
Review the software sections - you might use some of the software, but most of it is unnecessary - hence bloatware
HP ENVY dv7 Product Specifications
The model might not match your model, but probably contains the same bloatware - you can visit the HP for your model to double check.

If you really want the software after re-installing plain vanilla Win8, you can download the software from HP. The only difficulty I had was with some CyberLink software - there are OEM registry entries that are only created by the HP Install media. These entries determine your eligibility to use the CyberLink software. If you don't use the CyberLink software, this is a moot point.
2) Remove the OEM Recovery Partition
This has been the intent of the thread because that is where the suspicious file lives
You'll have to make the decision to create the HP OEM Recovery media or create plain vanilla Win8 install media.
The HP Recovery partition is 35 GBs, so you'll probably need a 64 GB Thumb drive to store it. I don't recommend trying to put it on DVDs - 35 GBs would require 7 or 8 discs. It's a pain to create and a pain to re-install with that many.
Plain vanilla Win8 install media fits on a 4GB Thumb drive or one DVD.
Since we're talking about Win8 recovery media and your machine is now Win10, neither Win8 re-install mechanisms are technically necessary. Your machine has a Digital Entitlement to Win10, so you can re-install that any time without having to re-install Win8 and do the upgrade.

What do I do on my machines? I create the OEM recovery media when I first open the box and then Clean install with the plain vanilla install media. A clean install does not have the OEM Recovery partition, so I don't have to make any decisions about it ... but your situation is a bit different.

The question is: Does the HP Recovery Manager still work on Win10

Let's see -> From the Start screen, type recovery, and then select HP Recovery Manager.
For detailed information on Backing up, restoring, and recovering, see See Chapter 7 in the ENVY dv7: Maintenance and Service Guide
If the HP Recovery Manager still works
You decide ...
create the OEM Recovery on a Thumb drive
-- or --
delete the OEM Recovery partition

If the HP Recovery Manager does NOT work, then the decision is still the same. Make a copy of the OEM Recovery partition or just delete the OEM Recovery partition.

The preferred method is to use the HP Recovery Manager: Delete OEM Recovery partition since it also tells the system to not look for it

My recommendation is to delete the OEM Recovery partition. You really don't need the Win8 HP OEM Recovery media.

Bill
.

 

Bill, you definitely have gone above and beyond with your help.
It's greatly appreciated.

It appears W10 got rid of my HP Recovery judging by these posts... (I couldn't find it)
How can i get back HP Recovery Manager for Windows 10 - HP Support Forum - 5291710

Solved: HP Recovery Manager Blocked After Windows 10 Upgrade - HP Support Forum - 5170752

I'm hoping I don't have to reinstall W10 again.
I just did it 5 days ago and it took me two full days to get set-up again and... and I'm still not finished.
Of course if it's really recommended I will.

I can easily find room on one of my external drives for the "D".

 

Ok, that's why I had to ask you if HP Recovery Mgr worked *Smile

Did you follow the fix in Solved: HP Recovery Manager Blocked After Windows 10 Upgrade - HP Support Forum - 5170752?
No? That is the right answer.

Since the HP Recovery Manager with the Win8 Recovery partition doesn't work on Win10 and copying it to your external drive won't help because .... well the HP Recovery Manager won't run.