In Progress Quardata folder

stkwPete

Thread Starter
Joined
May 21, 2020
Messages
6
First Name
Peter
I have a QUARDATA directory on my desktop which has appeared ;out of nowhere.

PROPERTIES OF THE DIRECTORY -
1590112984869.png

My system details -
Tech Support Guy System Info Utility version 1.0.0.9
OS Version: Microsoft Windows 10 Pro, 64 bit, Build 18362, Installed 20190823184420.000000+600
Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, Intel64 Family 6 Model 23 Stepping 10, CPU Count: 2
Total Physical RAM: 3 GB
Graphics Card: Intel(R) G33/G31 Express Chipset Family (Microsoft Corporation - WDDM 1.0), 256 MB
Hard Drives: C: 231 GB (20 GB Free); D: 465 GB (449 GB Free);
Motherboard: Gigabyte Technology Co., Ltd. G31M-S2L
System: Award Software International, Inc., ver GBT - 42302e31
Antivirus: Norton 360, Enabled and Updated
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hi, stkwPete.

Welcome to TSG Forums.

I'm DR M and I will be assisting you with your computer.

Please have in mind during the cleaning procedure:

1. Do not run any tool
unless instructed to do so. Also, do not uninstall or install any software during the proceedure, unless I ask you to do so.

2. Always ask before act. Do not continue if you are not sure, or if something unexpected happens.

3. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

=======================================================================

Let's start.

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If you get a message
that the tool is malware, ignore it. It's a false-positive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hi, stkwPete.

Thanks for the logs.

I will review them tomorrow. Here is already 01:00. 🙂
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hi, stkwPete.

You said that you see the Quardata folder on your Desktop? It's not shown in the logs however.

Let's make some cleaning:

1. A question first:

Did you intentionally enable notifications from these sites?

Code:
hxxps://app.gotowebinar.com;
hxxps://aumysteryshopper.com.au;
hxxps://changiairport.os.tc;
hxxps://dealwiki.net;
hxxps://fly.virginaustralia.com;
hxxps://healthengine.com.au;
hxxps://mashable.com;
hxxps://people.com;
hxxps://producttesting.com.au;
hxxps://www.blindscity.com.au;
hxxps://www.garuda-indonesia.com;
hxxps://www.gumtree.com.au;
hxxps://www.kogan.com;
hxxps://www.oneflare.com.au;
hxxps://www.platypusshoes.com.au;
hxxps://www.pricecheck.co.za;
hxxps://www.techradar.com;
hxxps://www.theathletesfoot.com.au

2. Remove a Chrome extension

  • Type chrome://extensions in the address bar and press Enter.
  • Click Remove under the extension you'd like to completely remove. In your case: Ask Web Search
  • A confirmation dialog appears. Click Remove.

3. Run FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKU\S-1-5-21-601134893-2736449416-3837295113-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&l=dis&prt=NGC&chn=1000&geo=AU&ver=22.20.2.57&locale=AU_en&guid=B0DD5857-0533-4D72-B154-28054F70C286&doi=2016-09-01&o=APN11913&cmpgn=mar20&gct=kwd&qsrc=2869
CHR DefaultSearchURL: Default -> hxxps://search.tb.ask.com/search/GGmain.jhtml?searchfor={searchTerms}&enableSearch=true&rdrct=no&redirect=CPC
CHR DefaultSearchKeyword: Default -> ask
CHR DefaultSuggestURL: Default -> hxxps://ss.search.ask.com/ss?li=ff&sstype=prefix&limit=10&hl=en&q={searchTerms}&enableSearch=true&rdrct=no
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

4. Run MBAM
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) is unchecked.
    Under the title Potentially unwanted items are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
  • If threads are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

5. Run AdwCleaner

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

In your next reply, please make sure to post:
  1. The Fixlog.txt content
  2. The MBAM report
  3. AdwCleaner[S0*].txt
  4. Your reply about the notifications
 

stkwPete

Thread Starter
Joined
May 21, 2020
Messages
6
First Name
Peter
Dear Dr M


Thanks for your prescribed list of tasks to clean up my PC.

I have had issues and therefore not progressed these.

Firstly, in the initial report of my problem, I indicated the “QUARDATA directory on my desktop"

In saying “desktop”, I meant my office / desk bound computer (versus laptop etc.) rather than the Windows Desktop folder / screen.

Quardata directory actually appears among my own directories, as shown in attachment.

Upon receiving your first instruction to instal FRST, I did so. It downloaded an exe which I ran after ignoring the warnings. This created a FRST directory, with a “Logs” subdirectory in which your two log files appeared after I ran the Scan option on FRST’s GUI. I sent the logs back to you.

Upon receiving your “Sunday at 7:36am” message, I could not find an exe for FRST anywhere in my system. The program’s directory and sub directories etc. still existed, but there was no program to execute (FRST.exe or similar) anywhere, not in the FRST directories, not in the Windows Desktop, not in the Windows Programs and features list.

Not sure how I fowled this.

I have redownloaded FRST and rerun the scan. I have its GUI still open and will try to leave it that way (just by putting the system to sleep when not in use) until I hear back. Please indicate whether I can progress your Tuesday at 1:13am instructions, or I need do something else.

Apologies for all this nuisance.
 

Attachments

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hello.

Thank you for describing the issue.

Yes, please. Go on with the instructions in my previous post.
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hi, Peter.

Do you need any help regarding the above?
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
I'm leaving this thread due to lack of feedback. If you still need assistance, please send me a PM (Personal Message) with a link to your topic.
 

stkwPete

Thread Starter
Joined
May 21, 2020
Messages
6
First Name
Peter
Hi Dr M

Apologies for delay

From your last task list, I have just fiished instald and running th

" Did I intentionally enable notifications " - No I did not.

Apologies again and I will do my best to turn anything further around within 24 hours.

Thanking you so much for getting me this far.

Mbam report -
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/2/20
Scan Time: 7:18 PM
Log File: 018a791c-a4b2-11ea-8a08-001fd00f868d.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.931
Update Package Version: 1.0.24888
License: Trial

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: PETER-PC\russo

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 275441
Threats Detected: 3
Threats Quarantined: 0
Time Elapsed: 6 min, 57 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, No Action By User, 382, 336077, 1.0.24888, , ame,
PUP.Optional.Reimage, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Reimage Repair, No Action By User, 382, 327201, 1.0.24888, , ame,

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Reimage, C:\USERS\PUBLIC\DESKTOP\RESUME REIMAGE REPAIR INSTALLATION.LNK, No Action By User, 382, 327182, 1.0.24888, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 

Attachments

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hi, Peter.

No problem. I thought that you got things sorted out.

I marked the thread as In progress again, and I will be back to you soon.
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
325
Hi, Peter.

Here is the new set of instructions:

1. Run Malwarebytes (Clean mode)
  • Double click the program's icon on your Desktop, as you did before.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) is unchecked.
    Under the title Potentially unwanted items are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
  • If threads are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
  • You may need to restart the computer.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

2. Run AdwCleaner (Clean mode)
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all threads found and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open (Note: previous scan showed no pre-installed software in your machine, so you can skip these sub steps).
      • Click OK to close it.
    • Check any pre-installed software items you want to remove (previous scan showed no pre-installed software in your machine, so you can skip this).
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start ADWCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

3. Search for Quardata
  • Double-click FRST.exe/FRST64.exe to run it, as you did before.
  • Copy and paste the following into the Search box.
Code:
Quardata
  • Press the Search Files button.
  • When complete, FRST will generate a log in the same location it was run from (Search.txt)
  • Please copy and paste its contents into your next reply.

In your next reply, please post:
  1. The Malwarebytes report
  2. The AdwCleaner[C0*].txt
  3. The Search.txt
We will deal with the notifications later.
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top