Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Huhc


  • Please log in to reply
9 replies to this topic

#1 Bill 0

Bill 0

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 17 March 2014 - 12:41 AM

I just had a positive hit from Malwarebytes on a scan I ran tonight listing a file as "Trojan.Huhc"

 

The interesting thing is that it was in a file that I believe was used as a temp file (C:\Temp\ML-1740\DATA) for installation of printer drivers when I used a relative's printer several years ago. The file in question was titled SSOpen.exe.  The date on the file was 2/26/2009 (which is about right for when I would have installed those files) and all of the other files in the folder looked like files appropriate for a printer. Doing an internet search on the file name did list it as being associated with Samsung, and running it through jotti showed no detection on all 22 scanners.  However, the hashes reported by jotti were different than another website (herd protect) reported should be associated with that file.

 

I haven't noticed any odd behanior recently; this was picked up on a routine scan that I usually do weekly.  I also had run TDSSKiller prior to the Malwarebytes scan without any threats detected.

 

So, I'm not sure if this should be considered a new detection with a spoofed file time or a false positive on Malwarebyte's part.  Interstingly, I noticed that this same evening, someone else reported a similar detection on this thread.

 

Bill


Edited by Bill 0, 17 March 2014 - 12:48 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:46 PM

Posted 17 March 2014 - 01:24 AM

Hello Bill 0 -

 

Please carefully Fully read and then Follow these instructions as printed

Steps to remove "Win32.Huhc.B" automatically
  • Download Dr.Web CureIt! and save it in desktop.
  • Download Security Space Pro 7.0 (32/64-bit), save it to desktop.
  • Reboot computer to Safe Mode (press F8 before any Microsoft logo appears).
  • Double click "cureit.exe" on desktop, follow on screen instructions to scan hard disk.
    Wait patiently, it may take 20-60 minutes to perform an express scan. This will totally depend on your computer.
  • After scanning is done, select all viruses found and choose "Cure".
    If some files are not suitable to be cured, choose "Quarantine" or "Delete".
  • NOW - When all viruses found are cured, quarantined, or deleted, reboot to Normal Mode.
  • Uninstall your existing anti-virus software which cannot kill the viruses, and then reboot again.
  • Locate the setup file of Security Space Pro on desktop, double click to run it.
    For step-by-step procedures, please refer to installation video guide.
  • During setup, choose to obtain a demo key.
  • After first time update, the scanner will be launched again, quit the scanner at this point.
  • Complete the setup by rebooting computer.
  • When time is allowed (may need several hours), perform a full scan in Dr.Web Scanner.
Note :
  • If it is unable to start Windows due to virus infection, try Dr.Web LiveCD or Dr.Web LiveUSB instead of Dr.Web CureIt!
  • Time needed for express scan or full scan relies on many factors, such as system performance, available memory, running processes, number of drives and files, etc


#3 Bill 0

Bill 0
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 17 March 2014 - 03:36 PM

We have a bit of a problem.

 

I worked through all of the instructions.  Cure it found 2 possible threats and eliminated them.  I ran Dr. Web on a full scan that did pick up several more threats.  The main problem is that I clicked on neuralize, and Dr. Web appears to have hung in the middle of the cleanup operation.  I went outside and shoveled snow for several hours while the cleanup was running, and it's still in the same position as when I left.  There also doesn't appear to be a way to stop the cleanup process.

 

Another issue is that many of the threats Dr. Web pulled up are in the Outlook.pst file.  Overall, I can't let that file get deleted -- too many important things in there.  Among the threats it listed were several with an .exe extension (didn't recognize them -- I hope they were things I deleted without opening but haven't emptied from the deleted items folder) but there are several pdf files it's flagging as "Probably SCRIPT.Virus" -- those were all documents sent to me from my real estate agent regarding a deal about 1 yr ago.  I'm hoping those are false positives.

 

Bill



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:46 PM

Posted 19 March 2014 - 05:42 AM

I asked you to select = If some files are not suitable to be cured, choose "Quarantine" (you can replace these)

 

Re run a Full Scan with a Freshly Updated Malwarebytes Anti-Malware.

Copy and Paste this log when finished -

 

 

Next -

Please scan your computer with ESET Online Scanner
Disable active Antivirus and Antimalware programs How To Temporarily Disable Your Anti-virus

This scan is best performed with Internet Explorer, as it uses ActiveX
If you will not or can not use Internet Explorer, then please read item 3 in this post

1 - Open Internet Explorer and hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 - Click the ESET Online Scanner button.
3 - For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
a - Click on eset.exe to download the ESET Smart Installer. Save it to your desktop.
b - Double click on the  icon on your desktop.
4 - Check "YES, I accept the Terms of Use."
5 - Click the Start button.
6 - Accept any security warnings from your browser.
7 - Under scan settings, check "Scan Archives" and "Remove found threats"
8 - Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 - ESET will then download updates for itself, install itself, and begin scanning your computer.
10 - Please be patient as this will take some time (first time scans are always longer).
11 - When the scan completes, click List Threats
12 - Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13 - Click the Back button and then Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.
If you lose the log it can be found at C:\Program Files\ESET\EsetOnlineScanner\log.txt
If no infections are found, then please tell me -
You can ignore any ESET detection of AdwCleaner...it is a false positive detection.

 

 

Last - Run a Temp File Cleaner

Download TFC to your desktop
Now • Close any open programs or windows.
• Double click the TFC icon to run the program

- Windows Vista / 7 / 8 , Right click on it and select Run as Administrator. 

• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.

• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it may automatically reboot your machine,
• if it doesn't, please manually reboot to ensure a complete clean

No log is expected from TFC.



#5 Bill 0

Bill 0
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 20 March 2014 - 12:13 AM

With Dr. Web hung I had to reboot the system.  Dr. Web recommended upgrading to V9, and rerunning the scan with V9 appeared to clean all of the detection (there were also some "cure errors" on the original run with V7).

 

Rerunning MBAM:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.19.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
root :: HUTCHENS [administrator]

3/19/2014 2:32:22 PM
mbam-log-2014-03-19 (14-32-22).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 747638
Time elapsed: 1 hour(s), 58 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

-------------------------------------------------------------------------------------------------------------------------------

From ESET:

C:\$RECYCLE.BIN\S-1-5-21-2862145238-893531248-1780857412-1002\$RB1FPNG.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
C:\$RECYCLE.BIN\S-1-5-21-2862145238-893531248-1780857412-1002\$RXOJ8O1.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe    a variant of Win32/HiddenStart.A potentially unsafe application    deleted - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe    a variant of Win32/HiddenStart.A potentially unsafe application    deleted - quarantined
C:\Users\Farnoosh\AppData\Local\temp\gbDfEaxK.exe.part    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    deleted - quarantined
C:\Users\Farnoosh\Downloads\mp3rocket(1).exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    deleted - quarantined
C:\Users\Farnoosh\Downloads\mp3rocket.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
C:\Users\root\AppData\Local\temp\AskSLib.dll    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsg5AC1.tmp\ApnIC.dll    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsg5AC1.tmp\ApnToolbarInstaller.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsg5AC1.tmp\SearchResults.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsuF253.tmp\ApnIC.dll    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsuF253.tmp\ApnToolbarInstaller.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsuF253.tmp\SearchResults.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
C:\Users\root\AppData\Local\temp\nsy25BB.tmp\AskInstaller.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    deleted - quarantined
C:\Windows\temp\TMP000022BC2435BC9EB0BAE69B    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
 

------------------------------------------------------

TFC ran as instructed.



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:46 PM

Posted 20 March 2014 - 03:38 AM

Hi -

The general ESET result was like (a variant of Win32/Toolbar) and very minor PUPs.

You should Delete any traces of DrWeb by Right click / Delete, and check it is no longer listed in Programs.

You can leave ESET as is since we use it here very often, and it will be much quicker next time.

 

 

 

This should help clean out minor problems ......

Now: Please download AdwCleaner by Xplode and save to your Desktop.
NOTE : Please close or save all work, as the computer will be Rebooted
Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button. (only once)
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. 
If you see any which you do not want removed, remove the check mark next to it. 

Next: Click on the Clean button (only once) to remove the selected items. 
You will receive a message telling you that all programs will be close so that the infections can be removed. 
Click on OK, and then OK again to confirm the reboot.
When cleaning process is complete a log (AdwCleaner[S0].txt ) of what was removed will be on your desktop. 
Please copy and the paste this log in your next post.

A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.



#7 Bill 0

Bill 0
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 20 March 2014 - 10:03 AM

Here's the ADW log:

# AdwCleaner v3.022 - Report created 20/03/2014 at 10:50:08
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : root - HUTCHENS
# Running from : C:\Users\Bill\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Users\root\AppData\Roaming\Mozilla\Firefox\Profiles\c4rrb592.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\root\AppData\Roaming\Mozilla\Firefox\Profiles\c4rrb592.default\prefs.js ]


[ File : C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\0nitbz99.default\prefs.js ]


[ File : C:\Users\Farnoosh\AppData\Roaming\Mozilla\Firefox\Profiles\wesr2mz8.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1961 octets] - [20/03/2014 10:46:11]
AdwCleaner[S0].txt - [1818 octets] - [20/03/2014 10:50:08]

########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [1878 octets] ##########
 

BTW, I'm actually thinking of keeping Dr. Web around for a little bit.  McAfee rarely picks anything up, and I may switch to Dr. Web once my McAfee subscription runs out.



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:46 PM

Posted 20 March 2014 - 10:31 PM

Hi -

The program is "generally" good, as I did use it for about a year.

 

I would Delete the version that I pointed you to, and just download and use their standard version.

 

Re open AdwCleaner and hit the Uninstall button now, as this is a use and dispose of program.

 

All other programs (MiniToolBox etc) can be Right click > Deleted, or check it is not listed in Programs now.

 

Please tell me if the problem is now any better.



#9 Bill 0

Bill 0
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 21 March 2014 - 04:46 AM

I think we're OK; however, there wasn't any odd behavior from the computer other than the detection from MBAM of the original file that prompted the posting.  I am concerned that there did seem to be some real malware (not just the ask toolbars that sometimes come with "freeware") that had gone undetected for some time.  As an aside, I had another malware incident about 1 1/2 years ago that made me slightly paranoid, so in addition to the scheduled scans from McAfee, I gradually added periodic manual scans with TDSSKiller, MBAM and Microsoft Defender (especially since my wife is into downloading facebook games).  Coincidentally, I also just found the beta for the MBAR as well and gave that a try this weekend which found nothing too.  That's why mentioned I'm thinking of keeping the trial of Dr. Web around and may switch to it permanently after the McAfee subscripton expires.

 

One other thing, I thought that I messed up firefox because I accidentally hit "clean" on ADW before unchecking things, and it took out all of the prefs files for firefox.  After that run, I noticed that the FF preferences all returned to the default and I couldn't change the preferences.  It turned out that the new prefs file under my user mode account was owned by the administrator group instead of my user account.  Is that normal behavior for ADW?

 

Also, what is the reason for the user.js file that was in my admin account's FF profile?  That's another file I probably would have unchecked if I hadn't accidentally started the clean?  Is that OK to restore?



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:46 PM

Posted 21 March 2014 - 08:05 PM

Microsoft Defender is good to run, but a Fresh copy needs to be installed each time.
Often it will also ask To Temporarily Disable Your  own Anti-virus

 

See http://kb.mozillazine.org/User.js_file for user.js details.  (from Firefox)

I do not understand this problem, but always ask, and I will research it deeper for you.

AdwCleaner is just a bit agressive at times, and that is why it produces a report first.

 

McAfee has been "downgraded" just a bit, and I would not use it at the moment.
Please be sure to use and follow the instructions when you fully remove it (or ask for help).

 

Almost all the listed and used tools here are free, and good to use in most cases.
BUT never use ComboFix unless you have posted to Malware Removal first, and they advise it.
They know how to fix the problems if it heads the wrong way.

 

If this was the problem removal .............

File Deleted : C:\Users\root\AppData\Roaming\Mozilla\Firefox\Profiles\c4rrb592.default\user.js

 

I will look around for other answers. For now do not Delete or re-run the program






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users