Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't know if virus or false positive


  • This topic is locked This topic is locked
13 replies to this topic

#1 Rachel9

Rachel9

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 14 October 2016 - 10:34 AM

Hello everyone :)

 

I went to a suspiciuos website the other day but my antivirus didn't detect anything back then (I'm using Avira). The next day when I turned on my computer, I had a pop-up message from Avira warning me of a virus. I ran other programs (like Malwarebytes, EMCO Malware Destroyer, Trojan Remover...) and they found nothing.

 

I also ran a complete system scan with Avira and it detects nothing. But it has the supposed virus quarantined, and when I go to quarantine and check it again, it detects it as a virus again. The name of the supposed virus is: TR/Virtool.INF.Autorun.241.66. It says it is in the catroot2 folder.

 

Is there a way to manually delete it without harming my computer? I recreated a new catroot2 folder, and Avira still detects it. Is it actually a virus or is it a false positive (since Avira is the only program to detect it)? If I remove it from Avira's quarantine folder manually, will I be removing it from my computer or will it go back to not be quarantined?

 

Excuse me for asking so many questions... ;)



BC AdBot (Login to Remove)

 


#2 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 17 October 2016 - 11:11 PM

Hello,

 

You may want to refer to this link: https://answers.avira.com/en/question/trvirtoolinfautorun31954-17205

 

Please do not download the AdwCleaner based in that link. Instead, please go to this link http://www.bleepingcomputer.com/forums/t/629651/towkexe/#entry4104068 and refer to TsVk!'s instruction...



#3 Rachel9

Rachel9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 18 October 2016 - 08:37 AM

Hello,

 

You may want to refer to this link: https://answers.avira.com/en/question/trvirtoolinfautorun31954-17205

 

Please do not download the AdwCleaner based in that link. Instead, please go to this link http://www.bleepingcomputer.com/forums/t/629651/towkexe/#entry4104068 and refer to TsVk!'s instruction...

I don't get it. Should I use AdwCleaner or DelFix?

 

I had already done a system scan with AdwCleaner and cleaned the infections; Avira still detects TR/Virtool.INF.Autorun.241.66.

I think I do have something because of the % of my CPU. It's almost always at 100% or at least 80%, it didn't use to be this high.


Edited by Rachel9, 18 October 2016 - 08:41 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 AM

Posted 18 October 2016 - 10:45 AM

Hi, also run these.

lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Rachel9

Rachel9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 18 October 2016 - 03:03 PM

Thanks for answering. I ran both (with Avira off), here are the logs:

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 16

Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1BHZ0I4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EFBYNULV (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HV1X9W8W (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Administrador\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQHWQM1E (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1BHZ0I4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EFBYNULV (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HV1X9W8W (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQHWQM1E (Temporary Internet Files Folder)



Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18-10-2016 at 17:55:34,64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

ESET:

C:\Users\Manuel\Downloads\845-ccsetup406.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted


 

Avira still detects the virus.

Also, I noticed a Windows Defender important update the day and hour I went to the suspicious website, but it says I can't undo it.



#6 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 18 October 2016 - 09:56 PM

Hello...

 

Could you check if the detection of virus before/after the scan resides in the same path?



#7 Rachel9

Rachel9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 19 October 2016 - 07:00 AM

Hello...

 

Could you check if the detection of virus before/after the scan resides in the same path?

 

It does. It's a registry key in catroot2.



#8 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 19 October 2016 - 11:58 AM

Thanks Rachel,

 

Are you able to post the log you performed for AdwCleaner?



#9 Rachel9

Rachel9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 19 October 2016 - 02:58 PM

Thanks Rachel,

 

Are you able to post the log you performed for AdwCleaner?

Sorry, I'm not because I did it a while ago and I didn't save the log. Or I saved it and then deleted it, I don't remember.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 AM

Posted 20 October 2016 - 11:39 AM

TR/Virtool.INF.Autorun.241.66. is an adware file please run ADW again.

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • To open a Cleaning log, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Rachel9

Rachel9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 21 October 2016 - 06:46 AM

So, I deleted the infected file from the Avira quarantine folder. I thought, maybe, problem solved, but when I search for something on YouTube the letters are bigger and it does seem like it has some publicity that it shouldn't have (on playlists).
I ran AdwCleaner and it detected a threat, I clicked to clean it, but (after rebooting the computer) it's still there.
It's this one: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}

Is it safe to remove it through the registry? AdwCleaner didn't remove it.


Edited by Rachel9, 21 October 2016 - 06:49 AM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 AM

Posted 21 October 2016 - 09:52 AM

Hi, we need to get a deeper look to see why.
Repost your last post in anew topic ...
Start at step 6.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Rachel9

Rachel9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 21 October 2016 - 11:50 AM

Ok, done: http://www.bleepingcomputer.com/forums/t/630082/trvirtoolinf-and-moz-extension/


Edited by Rachel9, 21 October 2016 - 11:51 AM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 AM

Posted 21 October 2016 - 12:58 PM

Thank you !! New Topic
http://www.bleepingcomputer.com/forums/t/630082/trvirtoolinf-and-moz-extension/


Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 3 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users