Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hitman Pro found Trojan in Kaspersky folder?


  • Please log in to reply
15 replies to this topic

#1 Barginski

Barginski

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 March 2016 - 09:16 AM

After running Hitman Pro today, it found rollback.dll to be a Trojan. It has Kaspersky in the extension (I run Internet Security), location is "C:ProgramData\KasperskyLab\AVP15.0.2\Bases.

 

I have run HitmanPro many times before on this system and have never had this.

 

Nothing is picked up by Malwarebytes or Kaspersky itself. Does this sound like a legit threat or a false positive?


Also wanted to note, it lists it as "Trojan.genericKD.3117126"



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 25 March 2016 - 09:35 AM

Based on the location.....it is a false positive. Was there a reason for using Hitman Pro such as excessive ads?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 March 2016 - 09:57 AM

I was just browsing a local news website with FIrefox when the website locked up as it was loading, and I hit control-alt-delete to close Firefox, not knowing why it locked up. When I say locked up, I mean firefox itself was not responsive; not a total system lockup. (I'm kind of paranoid about that sort of thing.) After closing Firefox, I got a message saying "Firefox has stopped working" and "Windows is checking for a solution to the problem." I hit "cancel" on that.

 

I just found it odd that I have run Hitman Pro dozens of times on the same setup and got nothing. Kaspersky itself hasn't found anything, and Malwarebytes doesn't seem to be either. After some more research, "rollback.dll" is a file within Kaspersky that is supposed to do just what it says. Last Kaspersky update was from 3:40 this morning. Maybe Hitman Pro just doesn't like the latest version of Kaspersky?



#4 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 25 March 2016 - 10:34 AM

Often what you describe is due to an add-on in Firefox. I've noticed several updates in the last few days for NoScript and

one website I visited acted the same as you described. I didn't attempt to close Firefox but waited several seconds and it

the site loaded. With Firefox updating and add-ons updating and websites changing.....I expect an occassional glitz.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 March 2016 - 10:38 AM

Now that you mention it, when loading certain websites such as Google, AND Bleepingcomputer, Malwarebytes gives me a popup saying it blocked outgoing access to ssl.gstatic.com, and gstatic.com. IP 216.58.192.163. Does this sound like an add-on issue?



#6 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 March 2016 - 11:07 AM

This also occurring in Internet Explorer and Chrome... Getting multiple MBAM notifications in sequence saying this same message. Seems to occur when launching browser, and when going to certain sites. Also when refreshing said sites. Some research said this is something affiliated with Google?

3f90372ee33cba96637d9979461434e2.jpg


Edited by Barginski, 25 March 2016 - 11:08 AM.


#7 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 25 March 2016 - 11:14 AM

Run the programs below to cleanup and delete any adware or malware. Running a scan using MBAM would be a good idea, too.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 March 2016 - 11:20 AM

After looking at the Malwarebytes forums, the popup has been verified as a false-positive, with tons of users reporting it in the last several minutes. After updating to the latest MBAM version as advised, the pop-ups have disappeared. MBAM and Kaspersky have both come back with clean scans. I will run the above tools tomorrow afternoon, as work late tonight and early tomorrow. Thanks for all the help.


Edited by Barginski, 25 March 2016 - 11:20 AM.


#9 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 25 March 2016 - 11:28 AM

I allow gstatic.com to be blocked by NoScript in my Firefox. Allowing its scripts to run serves no useful purpose for the user.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#10 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 26 March 2016 - 05:08 PM

Okay, I've downloaded CCleaner. I am running a 64-bit Windows 7 system with my OS loaded on the C drive, and additional files (gaming mostly) on the D Drive. Should I install to the default location of "C:\Program files", or "C:\Program files(86)"?



#11 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 26 March 2016 - 05:14 PM

Default location...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 26 March 2016 - 05:47 PM

# AdwCleaner v5.007 - Logfile created 13/09/2015 at 20:16:21
# Updated 08/09/2015 by Xplode
# Database : 2015-09-10.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Owner - CUSTOM-PC
# Running from : C:\Users\Owner\Desktop\adwcleaner_5.007.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[-] File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\12lad1jg.default\user.js

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

***** [ Web browsers ] *****

[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1077 bytes] ##########
# AdwCleaner v5.032 - Logfile created 05/02/2016 at 10:51:23
# Updated 31/01/2016 by Xplode
# Database : 2016-02-02.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Owner - CUSTOM-PC
# Running from : C:\Users\Owner\Downloads\AdwCleaner(1).exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2062 bytes] ##########
# AdwCleaner v5.105 - Logfile created 26/03/2016 at 18:45:23
# Updated 21/03/2016 by Xplode
# Database : 2016-03-26.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Owner - CUSTOM-PC
# Running from : C:\Users\Owner\Desktop\AdwCleaner(1).exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [3073 bytes] - [13/09/2015 20:16:21]
C:\AdwCleaner\AdwCleaner[S1].txt - [3077 bytes] - [13/09/2015 20:11:40]
C:\AdwCleaner\AdwCleaner[S2].txt - [1067 bytes] - [13/09/2015 20:15:04]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3292 bytes] ##########



#13 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 26 March 2016 - 05:55 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x64
Ran by Owner (Administrator) on Sat 03/26/2016 at 18:48:43.56
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 8

Successfully deleted: C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IDTO3R5U (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K9H2223C (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2H6XW3P (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PARQVCWN (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IDTO3R5U (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K9H2223C (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2H6XW3P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PARQVCWN (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 03/26/2016 at 18:52:33.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#14 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:27 PM

Posted 26 March 2016 - 06:33 PM

Nothing much.....you might look in your browser(s) add-ons for Coupon Bar or anything with Coupon in it. The one item

found may just be something leftover from another scan or uninstall. There may even be something in your installed programs

list with Coupon its name.

 

Other than that....happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#15 Barginski

Barginski
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 26 March 2016 - 06:42 PM

Yeah, I checked the programs list and found nothing. (Related to a Coupon Bar, or any programs I don't know about/recognize). Can't find anything in the add-ons folders for browsers, either. Hitman Pro lists it as "Coupon Bar." I always figured it's not a problem, and just kinda there, so I deal with it.

 

As far as CCleaner is concerned, it said it is monitoring the system and will alert me when it needs to be run again... Is this monitoring likely to negatively affect the system, either in the way of performance slowdown or conflicts with my AV/AM software? MBAM and Kaspersky are always monitoring everything, and I use this system for gaming mostly.

 

And thanks for all your help! I appreciate it.


Edited by Barginski, 26 March 2016 - 06:43 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users